Critical Vulnerability in Premium WordPress Themes Allows for Site Takeover

A critical privilege escalation flaw uncovered in two themes made use of by additional than 90,000 WordPress web pages can allow for menace actors to take more than the web sites entirely, scientists have found.

WordFence Threat Intelligence Group researcher Ramuel Gall found out the flaw, just one of 5 vulnerabilities he located involving early April and early Could in the Jupiter and JupiterX High quality WordPress themes, he unveiled in a site submit printed Wednesday.

One of the flaws—tracked as CVE-2022-1654 and rated as 9.9, or critical on the CVSS–allows for “any authenticated attacker, together with a subscriber or customer-degree attacker, to get administrative privileges and fully acquire in excess of any website working possibly the Jupiter Theme or JupiterX Main Plugin,” he wrote. The plugin is needed to operate the JupiterX topic.

Impacted versions of the themes are: Jupiter Topic 6.10.1 or earlier, and JupiterX Core Plugin 2..7 or previously.

WordFence concluded their investigation of most of flaws on April 5 and noted them to the Jupiter and JupiterX concept developer ArtBees on the very same day on Might 3 they notified the developer of an additional Jupiter concept flaw. By May possibly 10, the produced had produced up to date versions of both equally the Jupiter and JupiterX themes that experienced patched all the flaws.

Critical Vulnerability

The critical flaw discovered resides in a functionality, uninstallTemplate, which is meant to reset a internet site soon after a template is uninstalled. Nonetheless, it “has the further impact of elevating the person contacting the functionality to an administrator job,” Gall wrote. In the Jupiter concept, the function is located in the theme by itself in JupiterX, it is present in the JupiterX Core plugin.

“Vulnerable variations sign-up AJAX steps but do not conduct any functionality checks or nonce checks,” he wrote.

On a web page with a vulnerable model of the Jupiter Topic mounted, any logged-in user can elevate their privileges to those of an administrator by sending an AJAX request with the action parameter established to abb_uninstall_template. This phone calls the uninstallTemplate perform, which phone calls the resetWordpressDatabase perform, which effectively reinstalls the internet site with the presently logged-in user as the new website owner, Gall stated.

On a site the place a vulnerable version of the JupiterX Core plugin is put in, another person can obtain the exact features by sending an AJAX request with the action parameter established to jupiterx_core_cp_uninstall_template, he reported.

Other Vulnerabilities

WordPress plugins, usually made by third-party developers, are notoriously buggy. Past flaws located in plugins for the well known website-creation and -hosting system also have allowed for site takeover, as nicely as enabled WordPress subscribers to fully wipe web sites not belonging to them, or attackers to forge e-mails to subscribers.

Of the other flaws that Gall discovered, three—tracked as CVE-2022-1656, CVE-2022-1658 and CVE-2022-1659–are rated as medium risk and a person, CVE-2022-1657 is rated as substantial risk.

The substantial-risk flaw, which affects JupiterX Topic 2..6 or previously and Jupiter Theme 6.10.1 or before, can make it possible for an attacker to get hold of privileged info, this kind of as nonce values, or perform limited actions, Gall spelled out. This can be finished by such as and executing files from any place on the site.

“Vulnerable versions of the Jupiter and JupiterX Themes allow logged-in consumers, together with subscriber-degree customers, to accomplish Route Traversal and Area File inclusion,” Gall explained.

In the JupiterX concept, this can be accomplished by applying the jupiterx_cp_load_pane_motion AJAX motion existing in the lib/admin/control-panel/handle-panel.php file to contact the load_handle_panel_pane function. “It is doable to use this motion to involve any area PHP file by way of the slug parameter,” Gall wrote.

The Jupiter topic has a nearly equivalent vulnerability, which an attacker can exploit through the mka_cp_load_pane_action AJAX motion existing in the framework/admin/manage-panel/logic/functions.php file, which phone calls the mka_cp_load_pane_action operate, he said.

Wordfence scientists advocate that anyone utilizing the affected themes updated to the patched versions quickly. The organization unveiled a firewall rule to secure Wordfence Premium, Wordfence Care and Wordfence Reaction clients on April 5, and totally free Wordfence people on May well 4.