Vulnerability in Premium WordPress

More than 90,000 websites are affected by the privilege escalation bug discovered in the Jupiter and JupiterX Core Plugin. According to scientists, a significant privilege escalation problem discovered in two themes used by over 90,000 WordPress web pages can allow threat actors to seize complete control of the websites.

Ramuel Gall, a researcher with the WordFence Threat Intelligence Group, discovered the issue in the Jupiter and JupiterX High-quality WordPress themes between early April and early May, and revealed it in a blog post published Wednesday.

One of the holes, dubbed CVE-2022-1654 and rated 9.9 on the CVSS, allows “any authorised attacker, including a subscriber or customer-level attacker, to get administrative privileges and fully acquire in excess of any website using the Jupiter Theme or JupiterX Main Plugin,” he stated. The JupiterX topic requires the plugin to function.

Jupiter Topic 6.10.1 or before, and JupiterX Core Plugin 2..7 or older, are affected versions of the themes.

On April 5, WordFence completed their analysis of the majority of the faults and alerted Jupiter and JupiterX concept developer ArtBees. On May 3, they told the developer of another Jupiter concept flaw. By May 10, the developer had released updated versions of both the Jupiter and JupiterX themes, which had addressed all of the problems.

Critical Vulnerability

The major weakness was discovered in the uninstallTemplate function, which is supposed to reset a website once a template is uninstalled. Nonetheless, Gall argued that it “has the additional effect of raising the person contacting the functionality to an administrator job.” The function is located in the theme by itself in the JupiterX idea, and it is present in the JupiterX Core plugin.

“Vulnerable variations do AJAX sign-up steps but do not perform any functionality or nonce checks,” he wrote. Any logged-in user can elevate their credentials to those of an administrator by sending an AJAX request with the action parameter set to abb uninstall template on a web page with a susceptible model of the Jupiter Topic mounted. This activates the uninstallTemplate function, which activates the resetWordpressDatabase function, thereby reinstalling the website with the currently logged-in user as the new website owner, according to Gall.

Another user can access the exact functionality by submitting an AJAX call with the action parameter set to jupiterx core cp uninstall template on a site where a vulnerable version of the JupiterX Core plugin is installed, he reported.

Other Vulnerabilities

Plugins for WordPress, which are often created by third-party developers, are notoriously unstable. Past holes in plugins for the well-known website-creation and -hosting system have allowed for site takeover, as well as allowing WordPress subscribers to completely wipe up websites that aren’t theirs, or attackers to counterfeit e-mails to subscribers.

Three of the other weaknesses discovered by Gall are classed as medium risk (CVE-2022-1656, CVE-2022-1658, and CVE-2022-1659), while one is rated as high danger (CVE-2022-1657).

According to Gall, the high-risk weakness, which affects JupiterX Topic 2.6 or earlier and Jupiter Theme 6.10.1 or earlier, can allow an attacker to get access to privileged information such as nonce values or perform limited actions. This can be accomplished by running files from any location on the website.

“Vulnerable versions of the Jupiter and JupiterX Themes allow logged-in users, as well as subscriber-level users, to perform Route Traversal and Area File inclusion,” Gall said.

This may be performed in the JupiterX concept by contacting the load handle panel pane function using the jupiterx cp load pane motion AJAX motion found in the lib/admin/control-panel/handle-panel.php file. “You can use the slug option to include any area PHP file in this move,” Gall stated.

According to him, the Jupiter subject has a similar vulnerability that an attacker can exploit by using the mka cp load pane action function from the framework/admin/manage-panel/logic/functions.php file, which calls the mka cp load pane action function.

Wordfence scientists recommend that anyone using the impacted themes update to the patched versions as soon as possible. On April 5, the company released a firewall rule to protect Wordfence Premium, Wordfence Care, and Wordfence Reaction customers, as well as free Wordfence users on May 4.