WordPress security analysts have discovered a set of vulnerabilities impacting the Jupiter Theme and JupiterX Core plugins for WordPress, one of which is a critical privilege escalation flaw.
Jupiter is a powerful high-quality theme builder for WordPress sites used by over 90,000 popular blogs, online mags, and platforms that enjoy heavy user traffic.
The vulnerability, tracked as CVE-2022-1654, and given a CVSS score of 9.9 (critical), allows any authenticated user on a site using the vulnerable plugins to gain administrative privileges.
After exploiting the vulnerability, attackers may perform unlimited actions on the site, including altering its content, injecting malicious scripts, or completely deleting it.
The attacker can be a simple subscriber or customer on the site to exploit this vulnerability, so the attack doesn’t have very restrictive prerequisites.
Discovery and fix
According to Wordfence, which discovered the flaw, the problem lies in a function named “uninstallTemplate,” which resets the site after a theme is removed.
This function elevates the user’s privileges to admin, so if a logged-in user sends an AJAX request with the action parameter to call the function, they will elevate their privileges without going through nonce or any other checks.
The Wordfence Threat Intelligence team discovered the issue on April 5, 2022, and notified the plugin developer with full technical details.
On April 28, 2022, the vendor released a partial fix for the impacted plugins. Then, on May 10, 2022, Artbees released another security update that addressed the issues thoroughly.
The versions impacted by CVE-2022-1654 are Jupiter Theme version 6.10.1 and older (fixed in 6.10.2), JupiterX Theme version 2.0.6 and older (fixed in 2.0.7), and JupiterX Core Plugin version 2.0.7 and older (fixed in 2.0.8).
The only way to address the security problems is to update to the latest available versions as soon as possible or deactivate the plugin and replace your site’s theme.
During this security investigation, Wordfence discovered additional, albeit less severe flaws, that got fixed with the mentioned security updates on May 10, 2022. These flaws are:
- CVE-2022-1656: Medium severity (CVSS score: 6.5) arbitrary plugin deactivation and settings modification.
- CVE-2022-1657: High severity (CVSS score: 8.1) path traversal and local file inclusion.
- CVE-2022-1658: Medium severity (CVSS score: 6.5) arbitrary plugin deletion.
- CVE-2022-1659: Medium severity (CVSS score: 6.3) information disclosure, modification, and denial of service.
These additional four vulnerabilities require authentication to be exploited, and they too are accessible to site subscribers and customers, but their consequences aren’t as damaging.