A brand-new WordPress vulnerability – several, in fact, were discovered recently by the security team over at Wordfence.
Wordfence has reported that as of April, 2022, a number of vulnerabilities have been detected and reported in the Jupiter and JupiterX Premium WordPress Themes.
The critical privilege escalation vulnerability affects Jupiter themes, JupiterX premium themes, along with the required JupiterX Core companion plugin.
This type of vulnerability allows basically anyone – who is logged in as a user – to become an administrator.
This privilege escalation would quickly allow any bad actor to take over a website completely, and do whatever they want to do: add links, whatever they want.
Why Is This Vulnerability So Nasty?
If someone were to become, somehow, a subscriber or a customer-level attacker, they can gain administrative privileges and completely take over any site that is running the Jupiter Theme or the JupiterX Core Plugin.
The Core Plugin is a required component of the JupiterX theme.
On a site with a vulnerable version of the Jupiter Theme installed, any logged-in user can elevate their privileges to those of an administrator by sending an AJAX request with the action parameter set to abb_uninstall_template. This calls the uninstallTemplate function, which calls the resetWordpressDatabase function, where the site is effectively reinstalled with the currently logged-in user as the new site owner.
On a site where a vulnerable version of the JupiterX Core plugin is installed, the same functionality can also be accessed by sending an AJAX request with the action parameter set to jupiterx_core_cp_uninstall_template.
Other Vulnerabilities Discovered
There were a number of threats discovered as part of this group of vulnerabilities, including:
- Insufficient Access Control leading to Authenticated Arbitrary Plugin Deactivation and Settings Modification
- Authenticated Path Traversal and Local File Inclusion
- Insufficient Access Control leading to Authenticated Arbitrary Plugin Deletion
- Information Disclosure, Modification, and Denial of Service
Insufficient Access Control leading to Authenticated Arbitrary Plugin Deactivation and Settings Modification
CVSS score: 6.5 (Medium)
This particular vulnerability gives an attacker a way to reduce site security or damage the site’s functionality.
Authenticated Path Traversal and Local File Inclusion
CVSS score: 8.1 (High)
This vulnerability allows any attacker to get information that’s considered privileged – things like nonce values, for example. It can also give the attacker permission to perform restricted actions. This is done by including and executing files from any site location.
Insufficient Access Control leading to Authenticated Arbitrary Plugin Deletion
CVSS score: 6.5 (medium)
Information Disclosure, Modification, and Denial of Service
CVSS score: 6.3 (medium)
Recommended: Update Your Plugins And Themes
It is highly recommended that you update your plugins and themes to their latest versions. Doing so will ensure that you receive files that have been patched against the latest attacks.