Contents:
Privilege escalation is a malicious tactic to misuse an app or OS issue or configuration problem to get unauthorized access to sensitive information by taking over a user’s account that would ordinarily be inaccessible to the current user.
By getting these permissions, a hostile actor may undertake a number of operations on the operating system or server, such as executing commands or aiding malware infection inside the network, which can cause business interruption, exposing of sensitive data, or system takeover. This is privilege abuse.
What Happened?
WordPress security researchers have identified a number of flaws that are present in the Jupiter Theme and JupiterX Core plugins for the WordPress content management system. One of these vulnerabilities is a serious privilege escalation problem.
This vulnerability allows any authenticated attacker, including a subscriber or customer-level attacker, to gain administrative privileges and completely take over any site running either the Jupiter Theme or JupiterX Core Plugin. The JupiterX Core plugin is required for the JupiterX theme.
The classic Jupiter Theme contains a function,
uninstallTemplate
, which is intended to reset a site after a template is uninstalled, but has the additional effect of elevating the user calling the function to an administrator role. In JupiterX, this functionality has been migrated to the JupiterX Core plugin. Vulnerable versions register AJAX actions but do not perform any capability checks or nonce checks.On a site with a vulnerable version of the Jupiter Theme installed, any logged-in user can elevate their privileges to those of an administrator by sending an AJAX request with the
action
parameter set toabb_uninstall_template
. This calls theuninstallTemplate
function, which calls theresetWordpressDatabase
function, where the site is effectively reinstalled with the currently logged-in user as the new site owner.On a site where a vulnerable version of the JupiterX Core plugin is installed, the same functionality can also be accessed by sending an AJAX request with the
action
parameter set tojupiterx_core_cp_uninstall_template
.
Jupiter is a robust and high-quality theme builder for WordPress websites. It is utilized by more than 90,000 well-known blogs, online magazines, and platforms that see a large volume of user traffic.
Any authorized user on a website that uses vulnerable plugins is able to get administrator access as a result of the vulnerability, which has been assigned the tracking number CVE-2022-1654 and been given a CVSS score of 9.9 (critical).
After successfully exploiting the vulnerability, attackers have the power to execute whatever action they want on the website. This includes changing the site’s content, introducing malicious scripts, or erasing the website entirely.
In order to take advantage of this vulnerability, the attacker needs just be a basic subscriber or client on the website; hence, the attack does not have extremely tight requirements.
Jupiter Theme 6.10.1 and older (fixed in 6.10.2), JupiterX Theme 2.0.6 and older (fixed in 2.0.7), and JupiterX Core Plugin 2.0.7 and older are affected by CVE-2022-1654 (fixed in 2.0.8). You should update to the newest version or disable the plugin and alter your site’s theme to fix the security issues.
If you liked this article, follow us on LinkedIn, Twitter, Facebook, Youtube, and Instagram for more cybersecurity news and topics.