WordPress Theme: betheme: CVE-2022-45363: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The Betheme theme for WordPress is vulnerable to authorization bypass that leads to stored Cross-Site Scripting in versions up to, and including, 26.6.2. This is due to a missing capability check on the mfnvb_init_vb() function that initializes the visual editor for the plugin and discloses the plugin's page builder nonces and functionality to an attacker. This makes it possible for authenticated attacks with minimal permissions, such as a subscriber, to trigger the Betheme page editor for any post or page and view the information along with make any changes to the post/page accessed through the editor. This CVE is specific to being able to inject malicious JavaScript into the pages and posts that can be edited by the plugin as a result of the initial missing authorization vulnerability. This is an extension of CVE-2022-45356.