Jupiter < 6.10.2 & JupiterX Core < 2.0.8 – Subscriber+ Privilege Escalation and Post Deletion | CVE 2022-1654 | Plugin Vulnerabilities

Description

When the theme is installed, any logged-in user can elevate their privileges to an administrator by sending an AJAX request with the action parameter set to abb_uninstall_template. This calls the uninstallTemplate function, which calls the resetWordpressDatabase function, where the site is effectively reinstalled with the currently logged-in user as the new site owner.

When the plugin is installed, the same functionality can also be accessed by sending an AJAX request with the action parameter set to jupiterx_core_cp_uninstall_template.

Affects Plugins

Fixed in 2.0.8

Affects Themes

Fixed in 6.10.2

References

CVE

URL

https://www.wordfence.com/blog/2022/05/critical-privilege-escalation-vulnerability-in-jupiter-and-jupiterx-premium-themes/

Classification

Type

ACCESS CONTROLS

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Ramuel Gall

Verified

Yes

WPVDB ID

ff094c7a-9d2c-447f-adf8-b87400f4dc5d

Timeline

Publicly Published

2022-05-18 (about 3 years ago)

Added

2022-05-18 (about 3 years ago)

Last Updated

2023-02-11 (about 3 years ago)

Other

Published

Title

Published

2022-01-03

Title

TrustMate.io integration for WooCommerce < 1.7.1 - Subscriber+ Arbitrary Blog Option Update

Published

2024-02-12

Title

Sunshine Photo Cart: Free Client Galleries for Photographers < 3.1 - Unauthenticated Sensitive Information Exposure via Invoice

Published

2025-08-28

Title

WP Hotel Booking < 2.2.3 - Subscriber+ Rating Manipulation

Published

2024-02-27

Title

WordPress Access Control <= 4.0.13 - Improper Access Control to Sensitive Information Exposure via REST API

Published

2021-06-30

Title

SEO Wizard <= 4.0.2 - Unauthorised AJAX Calls