Vulnerability reports and responsible disclosures are essential for website security awareness and education. Automated attacks targeting known software vulnerabilities are one of the leading causes of website compromises.
We’ve compiled a list of some important security updates and vulnerability patches for the WordPress ecosystem for May, 2022.
Critical Privilege Escalation Vulnerability in Jupiter and JupiterX Premium Themes
On May 10th, important security updates were released for the Jupiter and JupiterX premium themes, as well as the JupiterX Core WordPress plugin.
These updates patch a set of vulnerabilities originally reported by WordFence’s Threat Intelligence team which include insufficient access control, local file inclusion, information disclosure, and a critical privilege escalation vulnerability that allows any website user to become an admin.
Vulnerability: Privilege Escalation Affected Software: Jupiter Theme & JupiterX Core Plugin Patched Versions: Jupiter Theme 6.10.2 & JupiterX Core Plugin 2.0.8 Security Risk: Critical Exploitation Level: Easy CVE: CVE-2022-1656
This critical vulnerability leverages a lack of capability or nonce checks for the uninstallTemplate function normally used to reset a website after a template has been uninstalled.
Logged-in users on vulnerable websites running the Jupiter theme can send an AJAX request with the action parameter set to abb_uninstall_template, which calls the uninstallTemplate function — this then calls the resetWordpressDatabase function, reinstalls the website, and elevates the user to an administrator role.
Websites running vulnerable versions of the JupiterX core plugin will find the same functionality whenever a logged-in user sends an AJAX request with the action parameter set to jupiterx_core_cp_uninstall_template.
Vulnerability: Local File Inclusion & Authenticated Path Traversal Affected Software: Jupiter Theme & JupiterX Theme Patched Versions: Jupiter Theme 6.10.2 & JupiterX Theme 2.0.7 Security Risk: High Exploitation Level: Easy CVE: CVE-2022-1657
When exploited, this serious vulnerability allows an attacker to obtain privileged information or perform restricted actions from any location on a website.
Logged-in users on websites with vulnerable versions of the JupiterX theme can exploit the jupiterx_cp_load_pane_action AJAX action, which calls the load_control_panel_pane function and allows the user to include any local PHP files via the slug parameter.
Websites running vulnerable versions of the Jupiter theme will find the same functionality when users exploit the mka_cp_load_pane_action AJAX action, which calls the mka_cp_load_pane_action and also allows the inclusion of local PHP files.
Vulnerability: Insufficient Access Control Affected Software: Jupiter Theme Patched Versions: Jupiter Theme 6.10.2 Security Risk: Medium Exploitation Level: Easy CVE: CVE-2022-1658
This vulnerability allows any authenticated user to arbitrarily delete a plugin from a vulnerable site by exploiting the abb_remove_plugin AJAX action.
Vulnerability: Information Disclosure, Modification & Denial of Service Affected Software: JupiterX Core Plugin Patched Versions: JupiterX Core Plugin 2.0.7 Security Risk: Medium Exploitation Level: Easy CVE: CVE-2022-1659
This vulnerability allows an attacker to view logged-in users and website configuration files, modify post conditions, or perform a denial of service attack by exploiting the vulnerable jupiterx_conditional_manager AJAX action to call functions found in the includes/condition/class-condition-manager.php file.
CP Image Store with Slideshow: SQLi
Vulnerability: SQLi Affected Software: CP Image Store with Slideshow Plugin Patched Versions: CP Image Store with Slideshow 1.0.68 Security Risk: Medium Exploitation Level: Easy CVE: CVE-2022-1692
This vulnerability leverages the improperly sanitized and escaped ordering_by query parameter prior to use in SQL statements on pages where the plugin is embedded. Unauthenticated attackers are able to leverage this vulnerability to inject malicious SQL.
The School Management: Unauthenticated Remote Code Execution
Vulnerability: RCE Affected Software: The School Management Pro Plugin Patched Versions: The School Management 9.9.7 Security Risk: Critical Exploitation Level: Easy CVE: CVE-2022-1609
This vulnerability leverages a backdoor found within the plugins license-checking code which allows unauthenticated attackers to execute arbitrary PHP code on any websites where the plugin is installed. The free version of the plugin does not contain the licensing code and is not affected.
KiviCare – Unauthenticated SQLi
Vulnerability: SQLi Affected Software: KiviCare Plugin Patched Versions: KiviCare 2.3.9 Security Risk: Medium Exploitation Level: Easy CVE: CVE-2022-0786
This vulnerability leverages improperly sanitized and escaped parameters prior to use in SQL statements. Unauthenticated attackers are able to leverage this vulnerability to inject malicious SQL.
Users who are not able to update their software to the latest version are encouraged to employ a web application firewall to virtually patch these vulnerabilities and protect their website.
WordPress 6.0 Core Updates
A new core update for WordPress has been released which features nearly 1,000 enhancements and bug fixes. We strongly encourage you to keep your CMS patched with the latest core updates to mitigate risk.
Rodolfo Assis
Rianna MacLeod
Antony Garand
Fernando Barbosa
Krasimir Konov
Jose Martinez
Luke Leal
John Castro
Denis Sinegubko