CVE-2022-1657 - Path Traversal and Local File Inclusion in Jupiter and JupiterX WordPress Themes

The Jupiter and JupiterX WordPress themes are used by many websites for creating attractive and customizable designs. However, it has recently been discovered that vulnerable versions of these themes may be exposing websites to potential attacks. In this post, we'll provide an in-depth analysis of the vulnerability, CVE-2022-1657, including a detailed explanation of the affected code, links to original references, and information on how an attacker might exploit this weakness.

Exploit Details

Both the Jupiter and JupiterX themes have similar vulnerabilities that allow logged-in users (including those with subscriber-level access) to perform path traversal and local file inclusion attacks. This means that an attacker can potentially access sensitive data on the server or even execute their own malicious code.

In the JupiterX theme, the vulnerability exists within the jupiterx_cp_load_pane_action AJAX action present in the lib/admin/control-panel/control-panel.php file. This action calls the load_control_panel_pane function. An attacker can exploit this by using the slug parameter to include any local PHP file.

Here is the relevant code snipplet from JupiterX

add_action('wp_ajax_jupiterx_cp_load_pane_action', 'load_control_panel_pane');
function load_control_panel_pane() {
    $slug = sanitize_key($_POST['slug']);
    $name = str_replace('_', '-', $slug);
    include_once('page/' . $name . '.php');
}

The Jupiter theme suffers from a similar vulnerability, which can be exploited via the mka_cp_load_pane_action AJAX action present in the framework/admin/control-panel/logic/functions.php file. The action calls the mka_cp_load_pane_action function and the exploit works similarly to the one in JupiterX.

Here's the corresponding code snipplet from Jupiter

add_action('wp_ajax_mka_cp_load_pane_action', 'mka_cp_load_pane_action');
function mka_cp_load_pane_action() {
    $slug = sanitize_key($_POST['slug']);
    $name = str_replace('_', '-', $slug);
    include_once('page/' . $name . '.php');
}

As you can see, both functions are almost identical in both themes, and both allow exploitation of the same type of vulnerability.

Exploitation

An attacker could potentially use this vulnerability to include any local PHP file on the server, which could then lead to the execution of arbitrary PHP code. In some cases, this could even lead to complete system compromise if the attacker manages to escalate privileges.

References

For further information on this vulnerability and how to update your themes to prevent exploitation, see the following resources:

- WordPress Vulnerability Database - Jupiter Theme
- WordPress Vulnerability Database - JupiterX Theme

Conclusion

CVE-2022-1657 is a critical vulnerability affecting the widely-used Jupiter and JupiterX WordPress themes. It's crucial that website administrators update their theme installations as soon as possible to prevent potential attacks and protect their websites and users.

Timeline

Published on: 06/13/2022 14:15:00 UTC
Last modified on: 06/21/2022 21:03:00 UTC