Researchers discovered a critical privilege escalation vulnerability in two themes used by over 90,000 WordPress sites that could allow threat actors to completely take over the sites.
One of the defects, identified as CVE-2022-1654 and rated 9.9, or critical, on the CVSS, allows “any authenticated attacker, including a subscriber or customer-level attacker, to gain administrative privileges and completely take over any site running either the Jupiter Theme or JupiterX Core Plugin,” he wrote. The plugin is required to run the JupiterX theme.
The critical vulnerability was discovered in a function called uninstallTemplate, which is intended to reset a site after removing a template. However, it “additionally elevates the user calling the function to an administrator role,” according to Gall. The Jupiter theme includes the function, whereas JupiterX includes it in the JupiterX Core plugin.
Any logged-in user can elevate their privileges to those of an administrator on a site with a vulnerable version of the Jupiter Theme installed by sending an AJAX request with the action parameter set to abb uninstall template. According to Gall, this invokes the uninstallTemplate function, which invokes the resetWordPressDatabase function, which effectively reinstalls the site with the currently logged-in user as the new site owner.
WordPress plugins, which are frequently created by third-party developers, are notoriously buggy. Previous flaws discovered in plugins for the popular website-creation and -hosting platform allowed for site takeover, as well as allowing WordPress subscribers to completely wipe sites that did not belong to them, or attackers to forge emails to subscribers.
ZOFIXER recommends that anyone using the affected themes immediately update to the patched versions. You can also use the zofixer.com vulnerability scanner to check your website and use a Secure WordPress Package developed by the ZOFixer team developer.