A critical vulnerability in the Jupiter WordPress theme, which has over 90,000 active installations, allows for the takeover of target websites through escalation.
Privilege Escalation
The privilege escalation problem, which has a CVSS score of 9.9, requires attackers to be authenticated, but only as a subscriber or customer. This provides minimal protection against potential attacks for websites that allow users to self-register.
According to a blog post published on Wednesday (May 18) by Wordfence, the bug, along with another high severity vulnerability and a trio of medium severity vulnerabilities, has been patched by the theme’s creator, ArtBees.
Vulnerabilities
‘Plugin Vulnerabilities’ claimed to have seen proof that hackers were already looking for weak installations and that some websites had likely already been compromised in a blog post published on ‘Plugin Vulnerabilities’ claimed to have seen proof that hackers were already looking for weak installations and that some websites had likely already been compromised in a blog post published on
The uninstall Template function has the privilege escalation flaw (CVE-2022-1654), which affects the Jupiter theme and JupiterX Core plugin.
Any logged-in user can elevate their capabilities to those of an administrator by sending an AJAX call with the action parameter set to abb uninstall template, revealed Wordfence researcher Ram Gall, who discovered the issues.
This invokes the uninstall Template function, which in turn invokes the reset WordPress Database function, effectively reinstalling the site with the currently logged-in user as the new site owner.
The same capability may also be obtained by submitting an AJAX call with the action parameter set to jupiterx_core_cp_uninstall_template, according to the documentation.
An attacker could gain privileged information, such as nonce values, or conduct limited activities by including and executing files from any location on the site, according to the high severity problem (CVSS score 8.1), which is an authenticated path traversal and local file inclusion issue.
Escalation Identified
The vulnerability, identified as CVE-2022-1657, affects the JupiterX and Jupiter themes.
A pair of insufficient access control flaws lead to authenticated arbitrary plugin deactivation, with one additionally leading to settings change (CVE-2022-1656) and the other being monitored as CVE-2022-1658 in the medium severity category. The third problem involves information exposure and manipulation, as well as a DoS attack (CVE-2022-1659).
On April 5, 2022, Wordfence notified ArtBees of all but one of the weaknesses, and on April 28, partially patched versions were released.
On May 3, ArtBees was notified of the final vulnerability, and on May 10, they issued fully patched versions.
Jupiter Theme version 6.10.2, JupiterX theme version 2.0.7, and JupiterX Core version 2.0.8 all fix the issues.
For more reading a previous article is available here.