Researchers discovered multiple security vulnerabilities in the Jupiter WordPress theme. While vendors have patched the issues, researchers still fear hackers may have already exploited the flaws.
Jupiter WordPress Theme Vulnerabilities
In a recent post, team Wordfence highlighted multiple serious vulnerabilities affecting the Jupiter Theme, JupiterX Theme, and JupiterX Core Plugin. An authenticated adversary could exploit the bugs to gain elevated privileges and execute various malicious activities.
Specifically, the most severe bug was a privilege escalation flaw in Jupiter Theme and JupiterX Core Plugin. It’s a critical severity vulnerability that received a CVSS score of 9.9. An authenticated attacker with subscriber or customer-level privileges could exploit this bug (CVE-2022-1654) to gain admin access to the site.
Then, the next vulnerability (CVE-2022-1657), a high-severity bug with CVSS 8.1, could allow an authenticated adversary to access privileged information. This vulnerability typically affected the JupiterX Theme and Jupiter Theme
The researchers also highlighted three other medium severity vulnerabilities. These include:
- Insufficient Access Control leading to Authenticated Arbitrary Plugin Deactivation and Settings Modification (CVE-2022-1656) affecting JupiterX Theme and JupiterX Core Plugin.
- Insufficient Access Control leading to Authenticated Arbitrary Plugin Deletion (CVE-2022-1658) affecting Jupiter Theme.
- Information Disclosure, Modification, and Denial of Service (CVE-2022-1659) affecting JupiterX Core Plugin.
Bugs (Probably) Exploited Despite Fixes
Following this discovery, Wordfence reported the matter to the Jupiter developers. In response, the developers deployed the patches with the release of Jupiter Theme version 6.10.2, JupiterX Theme version 2.0.7, and JupiterX Core Plugin version 2.0.8.
However, Plugin Vulnerabilities has pointed out in a post that the patched versions aren’t easily accessible for the users. As elaborated, the Jupiter X Core listing in the WordPress directory shows the last update date as 10 months ago.
Nonetheless, the plugin release notes show the last updated version as JupiterX Theme v.2.0.7. Thus, users may opt for downloading the patched plugin from the website.
Besides, Plugin Vulnerabilities also detect potential exploits of the bug in the wild. They have informed the developers about the matter.
Let us know your thoughts in the comments.