A ‘critical privilege escalation’ issue found in 2 themes used by over 90,000 WordPress sites can allow threat players to take over the sites completely, researchers have found.
Word Fence Threat Intelligence Team researcher Ramuel Gall discovered the flaw, 1 out of 5 vulnerabilities he found between early April & early May in the Jupiter & JupiterX Premium WordPress themes, he revealed in a blog post published Wed.
Authenticated Attacker
One issue, tracked as CVE-2022-1654 & rated as 9.9, or critical on the CVSS allows for “any authenticated attacker, including a subscriber or customer-level attacker, to gain administrative privileges & completely take over any site running either the Jupiter Theme or JupiterX Core Plugin,” he wrote. The plugin is required to run the JupiterX theme.
Affected versions of the themes are Jupiter Theme 6.10.1 or earlier, & JupiterX Core Plugin 2.0.7 or earlier.
Word Fence finished their investigation of most of flaws on April 5 & reported them to the Jupiter & JupiterX theme developer ArtBees on the same day; on May 3 they notified the developer of an additional Jupiter theme issue.
By May 10, the developed had released updated versions of both the Jupiter & JupiterX themes that had patched all the issues.
Critical Vulnerability
The critical problem is found within a function, uninstallTemplate, which is meant to reset a site after a template is uninstalled. However, it “has the additional effect of elevating the user calling the function to an administrator role,” Gall wrote. In the Jupiter theme, the function is found in the theme itself; in JupiterX, it is present in the JupiterX Core plugin.
“Vulnerable versions register AJAX actions but do not perform any capability checks or nonce checks,” he warned.
Jupiter Theme
On a site with a vulnerable version of the Jupiter Theme installed, any logged-in user can elevate their privileges to those of an administrator by sending an AJAX request with the action parameter set to abb_uninstall_template. This calls the uninstallTemplate function, which calls the resetWordpressDatabase function, which effectively reinstalls the site with the currently logged-in user as the new site owner, Gall explained.
On a site where a vulnerable version of the JupiterX Core plugin is installed, someone can access the same functionality by sending an AJAX request with the action parameter set to jupiterx_core_cp_uninstall_template, he stated.
Vulnerabilities
WordPress plugins, often developed by 3rd-party developers, are notoriously ‘buggy’.
Previous defects found in plugins for the popular website-creation & hosting platform also have allowed for site takeover, as well as enabled WordPress subscribers to totally wipe sites not belonging to them, or attackers to forge emails to subscribers.
Of the other flaws that Gall discovered, 3 tracked as CVE-2022-1656, CVE-2022-1658 & CVE-2022-1659–are rated as medium risk & one, CVE-2022-1657 is rated as high risk.
High-Risk Flaw
The high-risk flaw, which affects JupiterX Theme 2.0.6 or earlier & Jupiter Theme 6.10.1 or earlier, can allow an attacker to obtain privileged information, such as nonce values, or perform restricted actions, Gall explained. This can be done by including & executing files from any location on the site.
“Vulnerable versions of the Jupiter & JupiterX Themes allow logged-in users, including subscriber-level users, to perform Path Traversal & Local File inclusion,” Gall explained.
In the JupiterX theme, this can be done by using the jupiterx_cp_load_pane_action AJAX action present in the lib/admin/control-panel/control-panel.php file to call the load_control_panel_pane function. “It is possible to use this action to include any local PHP file via the slug parameter,” Gall wrote.
Identical Vulnerability
The Jupiter theme has a nearly identical vulnerability, which an attacker can exploit via the mka_cp_load_pane_action AJAX action present in the framework/admin/control-panel/logic/functions.php file, which calls the mka_cp_load_pane_action function, he explained.
Word Fence researchers recommend that anyone using the affected themes updated to the patched versions immediately.
The company released a firewall rule to protect Word fence Premium, Word Fence & Word Fence customers on April 5, & free Word fence users on May 4.
