Jupiter / JupiterX Theme Privilege Escalation / LFI / DoS / Access Control Issues

2022.05.19
Credit: Ramuel Gall
Risk: High
Local: No
Remote: Yes

Description: Authenticated Privilege Escalation and Post deletion Affected Software: Jupiter Theme and JupiterX Core Plugin Slug(s): jupiter (theme), jupiterx-core(plugin) Developer: ArtBees Affected Versions: Jupiter Theme <= 6.10.1 and JupiterX Core Plugin <= 2.0.7 CVE ID: CVE-2022-1654 CVSS score: 9.9 (Critical) CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H Researcher(s): Ramuel Gall Fully Patched Versions: Jupiter Theme 6.10.2 and JupiterX Core Plugin 2.0.8 This vulnerability allows any authenticated attacker, including a subscriber or customer-level attacker, to gain administrative privileges and completely take over any site running either the Jupiter Theme or JupiterX Core Plugin. The JupiterX Core plugin is required for the JupiterX theme. The classic Jupiter Theme contains a function, uninstallTemplate, which is intended to reset a site after a template is uninstalled, but has the additional effect of elevating the user calling the function to an administrator role. In JupiterX, this functionality has been migrated to the JupiterX Core plugin. Vulnerable versions register AJAX actions but do not perform any capability checks or nonce checks. On a site with a vulnerable version of the Jupiter Theme installed, any logged-in user can elevate their privileges to those of an administrator by sending an AJAX request with the action parameter set to abb_uninstall_template. This calls the uninstallTemplate function, which calls the resetWordpressDatabase function, where the site is effectively reinstalled with the currently logged-in user as the new site owner. On a site where a vulnerable version of the JupiterX Core plugin is installed, the same functionality can also be accessed by sending an AJAX request with the action parameter set to jupiterx_core_cp_uninstall_template. Description: Insufficient Access Control leading to Authenticated Arbitrary Plugin Deactivation and Settings Modification Affected Software: JupiterX Theme and JupiterX Core Plugin Slug(s): jupiterx (theme), jupiterx-core(plugin) Developer: ArtBees Affected Versions: JupiterX Theme <= 2.0.6 and JupiterX Core <= 2.0.6 CVE ID: CVE-2022-1656 CVSS score: 6.5 (Medium) CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N Researcher(s): Ramuel Gall Fully Patched Versions: JupiterX Theme 2.0.7 and JupiterX Core Plugin 2.0.7 This vulnerability allows an attacker to reduce site security or damage functionality. Vulnerable versions of the JupiterX Theme allow any logged-in user, including subscriber-level users, to access any of the functions registered in lib/api/api/ajax.php, which also grant access to the jupiterx_api_ajax_ actions registered by the JupiterX Core Plugin. This includes the ability to deactivate arbitrary plugins as well as update the theme’s API key. Description: Authenticated Path Traversal and Local File Inclusion Affected Software: JupiterX Theme and Jupiter Theme Slug(s): jupiterx (theme), jupiter(theme) Developer: ArtBees Affected Versions: JupiterX Theme <= 2.0.6 and Jupiter Theme <= 6.10.1 CVE ID: CVE-2022-1657 CVSS score: 8.1 (High) CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N Researcher(s): Ramuel Gall Fully Patched Versions: JupiterX Theme 2.0.7 and Jupiter Theme 6.10.2 This vulnerability could allow an attacker to obtain privileged information, such as nonce values, or perform restricted actions, by including and executing files from any location on the site. Vulnerable versions of the Jupiter and JupiterX Themes allow logged-in users, including subscriber-level users, to perform Path Traversal and Local File inclusion. In the JupiterX theme, the jupiterx_cp_load_pane_action AJAX action present in the lib/admin/control-panel/control-panel.php file calls the load_control_panel_pane function. It is possible to use this action to include any local PHP file via the slug parameter. The Jupiter theme has a nearly identical vulnerability which can be exploited via the mka_cp_load_pane_action AJAX action present in the framework/admin/control-panel/logic/functions.php file, which calls the mka_cp_load_pane_action function. Description: Insufficient Access Control leading to Authenticated Arbitrary Plugin Deletion Affected Software: Jupiter Theme Slug(s): jupiter (theme) Developer: ArtBees Affected Versions: Jupiter Theme <= 6.10.1 CVE ID: CVE-2022-1658 CVSS score: 6.5 (Medium) CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N Researcher(s): Ramuel Gall Fully Patched Versions: Jupiter Theme 6.10.2 This vulnerability allows an attacker to reduce site security or damage functionality. Vulnerable versions of the Jupiter Theme allow arbitrary plugin deletion by any authenticated user, including users with the subscriber role, via the abb_remove_plugin AJAX action registered in the framework/admin/control-panel/logic/plugin-management.php file. Using this functionality, any logged-in user can delete any installed plugin on the site. Description: Information Disclosure, Modification, and Denial of Service Affected Software: JupiterX Core Plugin Slug(s): jupiterx-core (plugin) Developer: ArtBees Affected Versions: JupiterX Core Plugin <= 2.0.6 CVE ID: CVE-2022-1659 CVSS score: 6.3 (Medium) CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L Researcher(s): Ramuel Gall Fully Patched Versions: JupiterX Core Plugin 2.0.7 This vulnerability allows an attacker to view site configuration and logged-in users, modify post conditions, or perform a denial of service attack. Vulnerable versions of the JupiterX Core plugin register an AJAX action jupiterx_conditional_manager which can be used to call any function in the includes/condition/class-condition-manager.php file by sending the desired function to call in the sub_action parameter. Timeline April 5, 2022 - The Wordfence Threat Intelligence team finishes our investigation of the Jupiter and JupiterX Themes. We release a firewall rule to protect Wordfence Premium, Wordfence Care, and Wordfence Response customers. We contact the theme developer and send over the full disclosure. April 28, 2022 - A partially patched version of the JupiterX theme and JupiterX Core plugin is released. May 3, 2022 - We follow up with the theme developer about additional patches and notify them of an additional vulnerability we found in the Jupiter Theme. May 4, 2022 - Firewall rule becomes available to Wordfence free users. May 10, 2022 - Fully Patched versions of the Jupiter Theme and JupiterX Core plugin are released. We verify that all vulnerabilities are addressed. Conclusion In today’s article, we covered a number of vulnerabilities present in the Jupiter and JupiterX themes and the JupiterX Core companion plugin. The most severe vulnerability allows any logged-in user to easily gain administrator privileges. Wordfence Premium, Wordfence Care, and Wordfence Response customers have been protected from these vulnerabilities since April 5, 2022, and free Wordfence users received the same protection on May 4, 2022. We strongly recommend updating to the latest versions of the impacted themes and plugins available immediately. Since several versions across several slugs are impacted, we’ll reiterate what you should update: If you are running the Jupiter Theme version 6.10.1 or below, you should immediately update to version 6.10.2 or higher. If you are running the JupiterX Theme version 2.0.6 or below, you should immediately update to version 2.0.7 or higher. If you are running the JupiterX Core Plugin version 2.0.7 or below, you should immediately update it to version 2.0.8 or higher. If you know anyone using the Jupiter theme or the JupiterX theme, we urge you to forward this advisory to them as the most severe vulnerability allows complete site takeover. If you believe your site has been compromised as a result of this vulnerability or any other vulnerability, we offer Incident Response services via Wordfence Care. If you need your site cleaned immediately, Wordfence Response offers the same service with 24/7/365 availability and a 1-hour response time. Both these products include hands-on support in case you need further assistance.


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2022, cxsecurity.com

 

Back to Top