CVE-2022-1657

Vulnerable versions of the Jupiter (<= 6.10.1) and JupiterX (<= 2.0.6) Themes allow logged-in users, including subscriber-level users, to perform Path Traversal and Local File inclusion. In the JupiterX theme, the jupiterx_cp_load_pane_action AJAX action present in the lib/admin/control-panel/control-panel.php file calls the load_control_panel_pane function. It is possible to use this action to include any local PHP file via the slug parameter. The Jupiter theme has a nearly identical vulnerability which can be exploited via the mka_cp_load_pane_action AJAX action present in the framework/admin/control-panel/logic/functions.php file, which calls the mka_cp_load_pane_action function.

CVSS v3 8.8 HIGH
CVSS v2.0 6.5 MEDIUM

8.8^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

6.5^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:L/Au:S/C:P/I:P/A:P

Exploitability : 8.0 / Impact : 6.4

Access Vector NETWORK

Access Complexity LOW

Authentication SINGLE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
https://www.wordfence.com/blog/2022/05/critical-privilege-escalation-vulnerability-in-jupiter-and-jupiterx-premium-themes/	Exploit Third Party Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:artbees:jupiter::::::wordpress::*
	cpe:2.3:a:artbees:jupiterx::::::wordpress::*

History

No history.

Information

Published : 2022-06-13 14:15

Updated : 2024-02-28 19:09

NVD link : CVE-2022-1657

Mitre link : CVE-2022-1657

CVE.ORG link : CVE-2022-1657

JSON object : View

Products Affected

artbees

jupiterx
jupiter

CWE

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

{"id": "CVE-2022-1657", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 6.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "authentication": "SINGLE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}, {"type": "Secondary", "source": "security@wordfence.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}]}, "published": "2022-06-13T14:15:08.363", "references": [{"url": "https://www.wordfence.com/blog/2022/05/critical-privilege-escalation-vulnerability-in-jupiter-and-jupiterx-premium-themes/", "tags": ["Exploit", "Third Party Advisory"], "source": "security@wordfence.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security@wordfence.com", "description": [{"lang": "en", "value": "CWE-22"}]}], "descriptions": [{"lang": "en", "value": "Vulnerable versions of the Jupiter (<= 6.10.1) and JupiterX (<= 2.0.6) Themes allow logged-in users, including subscriber-level users, to perform Path Traversal and Local File inclusion. In the JupiterX theme, the jupiterx_cp_load_pane_action AJAX action present in the lib/admin/control-panel/control-panel.php file calls the load_control_panel_pane function. It is possible to use this action to include any local PHP file via the slug parameter. The Jupiter theme has a nearly identical vulnerability which can be exploited via the mka_cp_load_pane_action AJAX action present in the framework/admin/control-panel/logic/functions.php file, which calls the mka_cp_load_pane_action function."}, {"lang": "es", "value": "Las versiones vulnerables de los Temas Jupiter (versiones anteriores a 6.10.1 incluy\u00e9ndolas) y JupiterX (versiones anteriores a 2.0.6 incluy\u00e9ndola) permiten a usuarios con sesi\u00f3n iniciada, incluidos los de nivel de suscriptor, llevar a cabo un Salto de Ruta y una inclusi\u00f3n de Archivos Locales. En el tema JupiterX, la acci\u00f3n AJAX jupiterx_cp_load_pane_action presente en el archivo lib/admin/control-panel/control-panel.php llama a la funci\u00f3n load_control_panel_pane. Es posible usar esta acci\u00f3n para incluir cualquier archivo PHP local por medio del par\u00e1metro slug. El tema Jupiter presenta una vulnerabilidad casi id\u00e9ntica que puede ser explotada por medio de la acci\u00f3n AJAX mka_cp_load_pane_action presente en el archivo framework/admin/control-panel/logic/functions.php, que llama a la funci\u00f3n mka_cp_load_pane_action"}], "lastModified": "2022-06-21T21:03:27.767", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:artbees:jupiter:*:*:*:*:*:wordpress:*:*", "vulnerable": true, "matchCriteriaId": "2F7E6A36-AA5B-4C62-8449-1F141489B34A", "versionEndIncluding": "6.10.1"}, {"criteria": "cpe:2.3:a:artbees:jupiterx:*:*:*:*:*:wordpress:*:*", "vulnerable": true, "matchCriteriaId": "282102E1-EA82-4133-94C7-36FA05CDEE24", "versionEndIncluding": "2.0.6"}], "operator": "OR"}]}], "sourceIdentifier": "security@wordfence.com"}