SEO

WordPress Vulnerability Affects Jupiter, JupiterX Premium Themes – Could Impact Over 160,000 sites

iloveseo / SEO / WordPress Vulnerability Affects Jupiter, JupiterX Premium Themes – Could Impact Over 160,000 sites
Brian Harnish May 18, 2022

A brand-new WordPress vulnerability – several, in fact, were discovered recently by the security team over at Wordfence.

Wordfence has reported that as of April, 2022, a number of vulnerabilities have been detected and reported in the Jupiter and JupiterX Premium WordPress Themes.

The critical privilege escalation vulnerability affects Jupiter themes, JupiterX premium themes, along with the required JupiterX Core companion plugin.

This type of vulnerability allows basically anyone – who is logged in as a user – to become an administrator.

This privilege escalation would quickly allow any bad actor to take over a website completely, and do whatever they want to do: add links, whatever they want.

Why Is This Vulnerability So Nasty?

If someone were to become, somehow, a subscriber or a customer-level attacker, they can gain administrative privileges and completely take over any site that is running the Jupiter Theme or the JupiterX Core Plugin.

The Core Plugin is a required component of the JupiterX theme.

Wordfence explains:

The classic Jupiter Theme contains a function, uninstallTemplate, which is intended to reset a site after a template is uninstalled, but has the additional effect of elevating the user calling the function to an administrator role. In JupiterX, this functionality has been migrated to the JupiterX Core plugin. Vulnerable versions register AJAX actions but do not perform any capability checks or nonce checks.

On a site with a vulnerable version of the Jupiter Theme installed, any logged-in user can elevate their privileges to those of an administrator by sending an AJAX request with the action parameter set to abb_uninstall_template. This calls the uninstallTemplate function, which calls the resetWordpressDatabase function, where the site is effectively reinstalled with the currently logged-in user as the new site owner.

On a site where a vulnerable version of the JupiterX Core plugin is installed, the same functionality can also be accessed by sending an AJAX request with the action parameter set to jupiterx_core_cp_uninstall_template.

Other Vulnerabilities Discovered

There were a number of threats discovered as part of this group of vulnerabilities, including:

  • Insufficient Access Control leading to Authenticated Arbitrary Plugin Deactivation and Settings Modification
  • Authenticated Path Traversal and Local File Inclusion
  • Insufficient Access Control leading to Authenticated Arbitrary Plugin Deletion
  • Information Disclosure, Modification, and Denial of Service

Insufficient Access Control leading to Authenticated Arbitrary Plugin Deactivation and Settings Modification

CVSS score: 6.5 (Medium)

This particular vulnerability gives an attacker a way to reduce site security or damage the site’s functionality.

Wordfence explains:

Vulnerable versions of the JupiterX Theme allow any logged-in user, including subscriber-level users, to access any of the functions registered in lib/api/api/ajax.php, which also grant access to the jupiterx_api_ajax_ actions registered by the JupiterX Core Plugin. This includes the ability to deactivate arbitrary plugins as well as update the theme’s API key.

Authenticated Path Traversal and Local File Inclusion

CVSS score: 8.1 (High)

This vulnerability allows any attacker to get information that’s considered privileged – things like nonce values, for example. It can also give the attacker permission to perform restricted actions. This is done by including and executing files from any site location.

Wordfence explains:

Vulnerable versions of the Jupiter and JupiterX Themes allow logged-in users, including subscriber-level users, to perform Path Traversal and Local File inclusion. In the JupiterX theme, the jupiterx_cp_load_pane_action AJAX action present in the lib/admin/control-panel/control-panel.php file calls the load_control_panel_pane function. It is possible to use this action to include any local PHP file via the slug parameter. The Jupiter theme has a nearly identical vulnerability which can be exploited via the mka_cp_load_pane_action AJAX action present in the framework/admin/control-panel/logic/functions.php file, which calls the mka_cp_load_pane_action function.

Insufficient Access Control leading to Authenticated Arbitrary Plugin Deletion

CVSS score: 6.5 (medium)

Wordfence explains:

Vulnerable versions of the Jupiter Theme allow arbitrary plugin deletion by any authenticated user, including users with the subscriber role, via the abb_remove_plugin AJAX action registered in the framework/admin/control-panel/logic/plugin-management.php file. Using this functionality, any logged-in user can delete any installed plugin on the site.

Information Disclosure, Modification, and Denial of Service

CVSS score: 6.3 (medium)

Wordfence explains:

Vulnerable versions of the JupiterX Core plugin register an AJAX action jupiterx_conditional_manager which can be used to call any function in the includes/condition/class-condition-manager.php file by sending the desired function to call in the sub_action parameter.

Recommended: Update Your Plugins And Themes

It is highly recommended that you update your plugins and themes to their latest versions. Doing so will ensure that you receive files that have been patched against the latest attacks.

Brian Harnish

Brian Harnish

Brian started his journey in SEO in 1998, back in the days of AltaVista, Yahoo and Lycos. He taught himself web development and coding with Notepad and learned how to create graphics...

Read Full Bio

Recent Articles

Skills Every SEO Pro Needs for Success
seo skills building i love seo 2 seo skills building i love seo 2
Optimizing Your Blog Post Format for Better Search Engine Success
SEO Benchmarks: What Are They & Which Ones Actually Matter
Proven Methods to Secure First-Page Rankings in 2023
Revolutionizing Your Seo Strategy With Entity-Based Optimization
Privacy
About Us
Contact Us
Free Resources

Copyright © 2021 - 2024 iloveseo.com All Rights Reserved. | Sitemap