A critical privilege escalation flaw found in two themes used by more than 90,000 WordPress sites can allow threat actors to take over the sites completely, researchers have found.
WordFence Threat Intelligence Team researcher Ramuel Gall discovered the flaw, one of five vulnerabilities he found between early April and early May in the Jupiter and JupiterX Premium WordPress themes, he revealed in a blog post published Wednesday.
One of the flaws—tracked as CVE-2022-1654 and rated as 9.9, or critical on the CVSS–allows for “any authenticated attacker, including a subscriber or customer-level attacker, to gain administrative privileges and completely take over any site running either the Jupiter Theme or JupiterX Core Plugin,” he wrote. The plugin is required to run the JupiterX theme.
Affected versions of the themes are: Jupiter Theme 6.10.1 or earlier, and JupiterX Core Plugin 2.0.7 or earlier.
WordFence finished their investigation of most of flaws on April 5 and reported them to the Jupiter and JupiterX theme developer ArtBees on the same day; on May 3 they notified the developer of an additional Jupiter theme flaw. By May 10, the developed had released updated versions of both the Jupiter and JupiterX themes that had patched all the flaws.
The critical flaw found resides in a function, uninstallTemplate, which is intended to reset a site after a template is uninstalled. However, it “has the additional effect of elevating the user calling the function to an administrator role,” Gall wrote. In the Jupiter theme, the function is found in the theme itself; in JupiterX, it’s present in the JupiterX Core plugin.
“Vulnerable versions register AJAX actions but do not perform any capability checks or nonce checks,” he wrote.
On a site with a vulnerable version of the Jupiter Theme installed, any logged-in user can elevate their privileges to those of an administrator by sending an AJAX request with the action parameter set to abb_uninstall_template. This calls the uninstallTemplate function, which calls the resetWordpressDatabase function, which effectively reinstalls the site with the currently logged-in user as the new site owner, Gall explained.
On a site where a vulnerable version of the JupiterX Core plugin is installed, someone can access the same functionality by sending an AJAX request with the action parameter set to jupiterx_core_cp_uninstall_template, he said.
WordPress plugins, often developed by third-party developers, are notoriously buggy. Previous flaws found in plugins for the popular website-creation and -hosting platform also have allowed for site takeover, as well as enabled WordPress subscribers to totally wipe sites not belonging to them, or attackers to forge emails to subscribers.
Of the other flaws that Gall discovered, three—tracked as CVE-2022-1656, CVE-2022-1658 and CVE-2022-1659–are rated as medium risk and one, CVE-2022-1657 is rated as high risk.
The high-risk flaw, which affects JupiterX Theme 2.0.6 or earlier and Jupiter Theme 6.10.1 or earlier, can allow an attacker to obtain privileged information, such as nonce values, or perform restricted actions, Gall explained. This can be done by including and executing files from any location on the site.
“Vulnerable versions of the Jupiter and JupiterX Themes allow logged-in users, including subscriber-level users, to perform Path Traversal and Local File inclusion,” Gall explained.
In the JupiterX theme, this can be done by using the jupiterx_cp_load_pane_action AJAX action present in the lib/admin/control-panel/control-panel.php file to call the load_control_panel_pane function. “It is possible to use this action to include any local PHP file via the slug parameter,” Gall wrote.
The Jupiter theme has a nearly identical vulnerability, which an attacker can exploit via the mka_cp_load_pane_action AJAX action present in the framework/admin/control-panel/logic/functions.php file, which calls the mka_cp_load_pane_action function, he said.
Wordfence researchers recommend that anyone using the affected themes updated to the patched versions immediately. The company released a firewall rule to protect Wordfence Premium, Wordfence Care and Wordfence Response customers on April 5, and free Wordfence users on May 4.