Jupiter < 6.10.2 & JupiterX < 2.0.7 – Subscriber+ Path Traversal and Local File Inclusion | CVE 2022-1657 | Theme Vulnerabilities

Description

Any logged-in users, such as subscriber, can perform Path Traversal and Local File inclusion. In the JupiterX theme, the jupiterx_cp_load_pane_action AJAX action present in the lib/admin/control-panel/control-panel.php file calls the load_control_panel_pane function. It is possible to use this action to include any local PHP file via the slug parameter. The Jupiter theme has a nearly identical vulnerability which can be exploited via the mka_cp_load_pane_action AJAX action present in the framework/admin/control-panel/logic/functions.php file, which calls the mka_cp_load_pane_action function.

Affects Themes

Fixed in 2.0.7

Fixed in 6.10.2

References

CVE

URL

https://www.wordfence.com/blog/2022/05/critical-privilege-escalation-vulnerability-in-jupiter-and-jupiterx-premium-themes/

Classification

Type

ACCESS CONTROLS

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Ramuel Gall

Verified

Yes

WPVDB ID

1d832899-68a2-4997-ba63-7d79986b7552

Timeline

Publicly Published

2022-05-18 (about 3 years ago)

Added

2022-05-18 (about 3 years ago)

Last Updated

2023-02-12 (about 3 years ago)

Other

Published

Title

Published

2024-02-26

Title

Restrict User Access – Ultimate Membership & Content Protection < 2.6 - Information Exposure

Published

2020-09-28

Title

WP Courses < 2.0.29 - Broken Access Controls leading to Courses Content Disclosure

Published

2015-07-15

Title

WP Attachment Export < 0.2.4 - Unauthenticated Posts Download

Published

2021-12-23

Title

Protect WP Admin < 3.6.2 - Unauthenticated Plugin Deactivation

Published

2024-05-14

Title

Password Protected < 2.6.7 - Missing Authorization to Sensitive Information Exposure