WordPress theme Jupiter patches critical privilege escalation flaw

1 month ago 15

Users urged to update systems amid reports of active exploitation

WordPress theme Jupiter patches critical privilege escalation flaw

A critical vulnerability present among 90,000-plus active installations of the Jupiter WordPress theme allows for the takeover of target websites.

Although attackers must be authenticated to exploit the privilege escalation flaw, which has a CVSS score of 9.9, they only need to do so as a subscriber or customer. For websites that allow users to self-register, this offers little protection against potential attacks.

The bug, along with another, high severity vulnerability and a trio of medium severity flaws, has been patched by the theme’s developer, ArtBees, according to a blog post published on Wednesday (May 18) by Wordfence.

Read more of the latest WordPress security news

In a blog post published on Wednesday, ‘Plugin Vulnerabilities’ claimed to have seen evidence that hackers were already probing for vulnerable installations, and that some websites had likely already been hacked. 

Bug breakdown

The privilege escalation bug (CVE-2022-1654), which affects the Jupiter theme and JupiterX Core plugin, resides in the function.

Because vulnerable versions register AJAX actions but fail to perform capability or (cryptographic) nonce checks, “any logged-in user can elevate their privileges to those of an administrator by sending an AJAX request with the action parameter set to ,” explained Wordfence researcher Ram Gall, who uncovered the flaws.

“This calls the function, which calls the resetWordpressDatabase function, where the site is effectively reinstalled with the currently logged-in user as the new site owner”.

Moreover, “the same functionality can also be accessed by sending an AJAX request with the action parameter set to ”.

The high severity issue (CVSS score 8.1), an authenticated path traversal and local file inclusion issue, “could allow an attacker to obtain privileged information, such as nonce values, or perform restricted actions, by including and executing files from any location on the site”.

Tracked as CVE-2022-1657, the vulnerability affects the JupiterX and Jupiter themes.

The medium severity trio includes a pair of insufficient access control issues leading to authenticated arbitrary plugin deactivation, with one also leading to settings modification (CVE-2022-1656) and the other tracked as CVE-2022-1658. The third poses an information disclosure and modification, plus Denial of Service (DoS), issue (CVE-2022-1659).

Updates

Wordfence notified ArtBees of all but one of the flaws on April 5, 2022, and partially patched versions were released on April 28.

ArtBees was alerted to the final vulnerability on May 3 and released comprehensively patched versions on May 10.

The issues have been addressed in Jupiter Theme version 6.10.2, JupiterX theme version 2.0.7, and JupiterX Core version 2.0.8.

RECOMMENDED WordPress sites getting hacked ‘within seconds’ of TLS certificates being issued

Read Entire Article