WordPress security analysts have discovered a set of vulnerabilities affecting the Jupiter Theme and JupiterX Core plugins for WordPress, one of which is a critical privilege escalation flaw.
Jupiter is a powerful, high-quality theme builder for WordPress sites used by over 90,000 popular blogs, ezines, and platforms with high user traffic.
The vulnerability, identified as CVE-2022-1654 and given a CVSS score of 9.9 (critical), allows any authenticated user on a site using the vulnerable plugins to gain administrative privileges.
After exploiting the vulnerability, attackers can perform unlimited actions on the site, including modifying its content, injecting malicious scripts, or deleting it completely.
The attacker can be a simple subscriber or customer of the site to exploit this vulnerability, so the attack does not have very restrictive prerequisites.
Discovery and correction
According to Wordfence, which discovered the flaw, the problem lies with a function called “uninstallTemplate”, which resets the site after deleting a theme.
This function elevates the user’s privileges to admin, so if a logged in user sends an AJAX request with the action parameter to call the function, they will elevate their privileges without going through a nonce or any other checks.
The Wordfence Threat Intelligence team discovered the issue on April 5, 2022 and informed the plugin developer with all the technical details.
On April 28, 2022, the vendor released a partial fix for the affected plugins. Then, on May 10, 2022, Artbees released another security update that fixed the issues in depth.
Versions impacted by CVE-2022-1654 are Jupiter Theme version 6.10.1 and earlier (fixed to 6.10.2), JupiterX Theme version 2.0.6 and earlier (fixed to 2.0.7) and JupiterX Core Plugin version 2.0.7 and earlier (fixed to 2.0.8).
The only way to fix security issues is to update to the latest available versions as soon as possible or disable the plugin and replace your site theme.
During this security investigation, Wordfence discovered additional vulnerabilities, although less serious, which were fixed with the mentioned security updates on May 10, 2022. These vulnerabilities are:
- CVE-2022-1656: Medium severity (CVSS score: 6.5) Arbitrarily disabling plugin and changing settings.
- CVE-2022-1657: High severity path traversal (CVSS score: 8.1) and inclusion of local files.
- CVE-2022-1658: Medium severity (CVSS score: 6.5) Arbitrary plugin removal.
- CVE-2022-1659: Medium severity (CVSS score: 6.3) information disclosure, modification and denial of service.
These four additional vulnerabilities require authentication to be exploited, and they are also accessible to subscribers and customers of the site, but their consequences are not as damaging.