WEBSITE 2 DESIGN

Security Alert: Jupiter & JupiterX Premium Themes has Critical Privilege Escalation Vulnerability - May 2022

May 18, 2022

Affected Software: Jupiter Theme and JupiterX Core Plugin

Fully Patched Versions: Jupiter Theme 6.10.2 and JupiterX Core Plugin 2.0.8

The Wordfence Threat Intelligence team initiated the responsible disclosure process on April 5, 2022, for a set of High threat vulnerabilities in the Jupiter & JupiterX themes, and their required JupiterX Core companion plugin for WordPress, which included a critical privilege escalation vulnerability that allowed any user to become an administrator.

Jupiter theme plugin developers quickly replied and the wordfence team sent over the full disclosure on the same day.

On May 10, 2022, they made fully patched versions of all vulnerable components available to download.

Since the latest patched version will remove the vulnerabilities, we strongly recommend updating it as soon as possible, to avoid getting your website lost.

Patched Version Update

If you are using the classic Jupiter theme, you should update to at least version v6.10.2.
If you are using the JupiterX theme, you should update to at least version v2.0.8 of the JupiterX Core plugin, and at least update to v2.0.7 of the JupiterX Core theme, which are the latest versions available at the time of this writing.

Description: Authenticated Privilege Escalation and Post deletion

Affected Software: Jupiter Theme and JupiterX Core Plugin

Slug(s): jupiter (theme), jupiterx-core(plugin)

Developer: ArtBees

Affected Versions: Jupiter Theme <= 6.10.1 and JupiterX Core Plugin <= 2.0.7

CVE ID: CVE-2022-1654

CVSS score: 9.9 (Critical)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Researcher(s): Ramuel Gall

Fully Patched Versions: Jupiter Theme 6.10.2 and JupiterX Core Plugin 2.0.8

Vulnerability Explained

This vulnerability allows any authenticated attacker, including a subscriber or customer-level attacker, to gain administrative privileges and completely take over any site running either the Jupiter Theme or JupiterX Core Plugin. The JupiterX Core plugin is required for the JupiterX theme.

The classic Jupiter Theme contains a function, uninstallTemplate, which is intended to reset a site after a template is uninstalled, but has the additional effect of elevating the user calling the function to an administrator role. In JupiterX, this functionality has been migrated to the JupiterX Core plugin. Vulnerable versions register AJAX actions but do not perform any capability checks or nonce checks.

On a site with a vulnerable version of the Jupiter Theme installed, any logged-in user can elevate their privileges to those of an administrator by sending an AJAX request with the action parameter set to abb_uninstall_template. This calls the uninstallTemplate function, which calls the resetWordpressDatabase function, where the site is effectively reinstalled with the currently logged-in user as the new site owner.

On a site where a vulnerable version of the JupiterX Core plugin is installed, the same functionality can also be accessed by sending an AJAX request with the action parameter set to jupiterx_core_cp_uninstall_template.

Description: Insufficient Access Control leading to Authenticated Arbitrary Plugin Deactivation and Settings Modification

Affected Software: JupiterX Theme and JupiterX Core Plugin

Slug(s): jupiterx (theme), jupiterx-core(plugin)

Developer: ArtBees

Affected Versions: JupiterX Theme <= 2.0.6 and JupiterX Core <= 2.0.6

CVE ID: CVE-2022-1656

CVSS score: 6.5 (Medium)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Researcher(s): Ramuel Gall

Fully Patched Versions: JupiterX Theme 2.0.7 and JupiterX Core Plugin 2.0.7

This vulnerability allows an attacker to reduce site security or damage functionality.

Vulnerable versions of the JupiterX Theme allow any logged-in user, including subscriber-level users, to access any of the functions registered in lib/api/api/ajax.php, which also grant access to the jupiterx_api_ajax_ actions registered by the JupiterX Core Plugin. This includes the ability to deactivate arbitrary plugins as well as update the theme’s API key.

Description: Authenticated Path Traversal and Local File Inclusion

Affected Software: JupiterX Theme and Jupiter Theme

Slug(s): jupiterx (theme), jupiter(theme)

Developer: ArtBees

Affected Versions: JupiterX Theme <= 2.0.6 and Jupiter Theme <= 6.10.1

CVE ID: CVE-2022-1657

CVSS score: 8.1 (High)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Researcher(s): Ramuel Gall

Fully Patched Versions: JupiterX Theme 2.0.7 and Jupiter Theme 6.10.2

This vulnerability could allow an attacker to obtain privileged information, such as nonce values, or perform restricted actions, by including and executing files from any location on the site.

Vulnerable versions of the Jupiter and JupiterX Themes allow logged-in users, including subscriber-level users, to perform Path Traversal and Local File inclusion. In the JupiterX theme, the jupiterx_cp_load_pane_action AJAX action present in the lib/admin/control-panel/control-panel.php file calls the load_control_panel_pane function. It is possible to use this action to include any local PHP file via the slug parameter. The Jupiter theme has a nearly identical vulnerability which can be exploited via the mka_cp_load_pane_action AJAX action present in the framework/admin/control-panel/logic/functions.php file, which calls the mka_cp_load_pane_action function.

Description: Insufficient Access Control leading to Authenticated Arbitrary Plugin Deletion

Affected Software: Jupiter Theme

Slug(s): jupiter (theme)

Developer: ArtBees

Affected Versions: Jupiter Theme <= 6.10.1

CVE ID: CVE-2022-1658

CVSS score: 6.5 (Medium)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Researcher(s): Ramuel Gall

Fully Patched Versions: Jupiter Theme 6.10.2

This vulnerability allows an attacker to reduce site security or damage functionality.

Vulnerable versions of the Jupiter Theme allow arbitrary plugin deletion by any authenticated user, including users with the subscriber role, via the abb_remove_plugin AJAX action registered in the framework/admin/control-panel/logic/plugin-management.php file. Using this functionality, any logged-in user can delete any installed plugin on the site.

Description: Information Disclosure, Modification, and Denial of Service
Affected Software: JupiterX Core Plugin
Slug(s): jupiterx-core (plugin)
Developer:ArtBees
Affected Versions: JupiterX Core Plugin <= 2.0.6
CVE ID:CVE-2022-1659
CVSS score: 6.3 (Medium)
CVSS Vector:CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Researcher(s): Ramuel Gall
Fully Patched Versions: JupiterX Core Plugin 2.0.7

This vulnerability allows an attacker to view site configuration and logged-in users, modify post conditions, or perform a denial of service attack.

Vulnerable versions of the JupiterX Core plugin register an AJAX action jupiterx_conditional_manager which can be used to call any function in the includes/condition/class-condition-manager.php file by sending the desired function to call in the sub_action parameter.

Timeline

April 5, 2022 – The Wordfence Threat Intelligence team finishes our investigation of the Jupiter and JupiterX Themes. Wordfence released a firewall rule to protect Wordfence Premium, Wordfence Care, and Wordfence Response customers. Wordfence contacted the theme developer and send over the full disclosure.
April 28, 2022 – A partially patched version of the JupiterX theme and JupiterX Core plugin is released.
May 3, 2022 – Wordfence follow up with the theme developer about additional patches and notify them of an additional vulnerability wordfence team found in the Jupiter Theme.
May 4, 2022 – Firewall rule becomes available to Wordfence free users.
May 10, 2022 – Fully Patched versions of the Jupiter Theme and JupiterX Core plugin are released. Wordfence team verifies that all vulnerabilities are addressed.

Conclusion

It is recommended that we share this information with our friends and colleagues and let them update the plugin to the fully patched latest version of Jupiter Theme to v6.10.2 and JupiterX Core Plugin to v2.0.8 and avoid getting a critical malware attack. Additionally, it is always a good practice to have a Daily Backup of your website, so if you lose your website access a backup would be the best way to retrieve back your lost site.

Leave a Reply

Your email address will not be published.