WordPress Jupiter Plugin bug could lead to Privilege Escalation
WordPress security analysts have discovered a set of vulnerabilities impacting the Jupiter Theme and JupiterX Core plugins for WordPress, one of which is a critical privilege escalation flaw. Jupiter is a powerful high-quality theme builder for WordPress sites used by over 90,000 popular blogs, online mags, and platforms that enjoy heavy user traffic.
The details of vulnerability disclosure and patch releases are given below
CVE-2022-1654 – Authenticated Privilege Escalation and Post deletion
This vulnerability allows an authenticated attacker, including a subscriber or customer-level attacker, to gain administrative privileges and completely take over any site running either the Jupiter Theme or JupiterX Core Plugin. The JupiterX Core plugin is required for the JupiterX theme.
The classic Jupiter Theme contains a function, uninstallTemplate, which is intended to reset a site after a template is uninstalled but has the additional effect of elevating the user calling the function to an administrator role.
CVE-2022-1656 – Insufficient Access Control leading to Authenticated Arbitrary Plugin Deactivation and Settings Modification
This allows an attacker to reduce site security or damage functionality. Vulnerable versions of the JupiterX Theme allow any logged-in user, including subscriber-level users, to access any of the functions registered in lib/api/api/ajax.php, which also grants access to the jupiterx_api_ajax_ actions registered by the JupiterX Core Plugin. This includes the ability to deactivate arbitrary plugins as well as update the theme’s API key.
CVE-2022-1657 – Authenticated Path Traversal and Local File Inclusion
This vulnerability could allow an attacker to obtain privileged information, such as nonce values, or perform restricted actions, by including and executing files from any location on the site. Vulnerable versions of the Jupiter and JupiterX Themes allow logged-in users, including subscriber-level users, to perform Path Traversal and Local File inclusion. In the JupiterX theme,
CVE-2022-1658 – Insufficient Access Control leading to Authenticated Arbitrary Plugin Deletion
This vulnerability allows an attacker to reduce site security or damage functionality. Vulnerable versions will allow arbitrary plugin deletion by any authenticated user, including users with the subscriber role, via the abb_remove_plugin AJAX action registered in the framework/admin/control-panel/logic/plugin-management.php file
CVE-2022-1659 – Information Disclosure, Modification, and Denial of Service
This vulnerability allows an attacker to view site configuration and logged-in users, modify postconditions, or perform a DoS attack. Vulnerable versions of the JupiterX Core plugin register an AJAX action jupiterx_conditional_manager which can be used to call any function in the includes/condition/class-condition-manager.php file by sending the desired function to call in the sub_action parameter.
Wordfence Premium, Wordfence Care, and Wordfence Response customers have been protected from these vulnerabilities since April 5, 2022, and free Wordfence users received the same protection on May 4, 2022. It strongly recommends updating to the latest versions of the impacted themes and plugins available immediately.
- Jupiter Theme version 6.10.1 or below, should be updated to version 6.10.2 or higher.
- JupiterX Theme version 2.0.6 or below, should be immediately updated to version 2.0.7 or higher.
- JupiterX Core Plugin version 2.0.7 or below, should be immediately updated it to version 2.0.8 or higher.