Users urged to update systems amid reports of active exploitation

UPDATED A critical vulnerability present among 90,000-plus active installations of the Jupiter WordPress theme allows for the takeover of target websites.

Although attackers must be authenticated to exploit the privilege escalation flaw, which has a CVSS score of 9.9, they only need to do so as a subscriber or customer. For websites that allow users to self-register, this offers little protection against potential attacks.

The bug, along with another, high severity vulnerability and a trio of medium severity flaws, has been patched by the theme’s developer, ArtBees, according to a blog post published on Wednesday (May 18) by Wordfence.


Read more of the latest WordPress security news


In a blog post published on Wednesday, ‘Plugin Vulnerabilities’ claimed to have seen evidence that hackers were already probing for vulnerable installations, and that some websites had likely already been hacked. 

Bug breakdown

The privilege escalation bug (CVE-2022-1654), which affects the Jupiter theme and JupiterX Core plugin, resides in the uninstallTemplate function.

Because vulnerable versions register AJAX actions but fail to perform capability or (cryptographic) nonce checks, “any logged-in user can elevate their privileges to those of an administrator by sending an AJAX request with the action parameter set to abb_uninstall_template,” explained Wordfence researcher Ram Gall, who uncovered the flaws.

“This calls the uninstallTemplate function, which calls the resetWordpressDatabase function, where the site is effectively reinstalled with the currently logged-in user as the new site owner”.

Moreover, “the same functionality can also be accessed by sending an AJAX request with the action parameter set to jupiterx_core_cp_uninstall_template”.

The high severity issue (CVSS score 8.1), an authenticated path traversal and local file inclusion issue, “could allow an attacker to obtain privileged information, such as nonce values, or perform restricted actions, by including and executing files from any location on the site”.

Tracked as CVE-2022-1657, the vulnerability affects the JupiterX and Jupiter themes.

The medium severity trio includes a pair of insufficient access control issues leading to authenticated arbitrary plugin deactivation, with one also leading to settings modification (CVE-2022-1656) and the other tracked as CVE-2022-1658. The third poses an information disclosure and modification, plus Denial of Service (DoS), issue (CVE-2022-1659).

Updates

Wordfence notified ArtBees of all but one of the flaws on April 5, 2022, and partially patched versions were released on April 28.

ArtBees was alerted to the final vulnerability on May 3 and released comprehensively patched versions on May 10.

The issues have been addressed in Jupiter Theme version 6.10.2, JupiterX theme version 2.0.7, and JupiterX Core version 2.0.8.

“Right after installing Jupiter X Core plugin (v.16.2) you can upgrade it to the latest version,” ArtBees told The Daily Swig. “Please use the internal updater to do that. We will publish the JX Core on WP.org soon.”


This article was updated on May 23 with additional patching advice from ArtBees


RECOMMENDED WordPress sites getting hacked ‘within seconds’ of TLS certificates being issued