CVE-2022-1657

JupiterX Theme <= 2.0.6 and Jupiter Theme <= 6.10.1 - Authenticated Path Traversal and Local File Inclusion

Severity Score

8.8

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track*

*SSVC

Descriptions

Vulnerable versions of the Jupiter (<= 6.10.1) and JupiterX (<= 2.0.6) Themes allow logged-in users, including subscriber-level users, to perform Path Traversal and Local File inclusion. In the JupiterX theme, the jupiterx_cp_load_pane_action AJAX action present in the lib/admin/control-panel/control-panel.php file calls the load_control_panel_pane function. It is possible to use this action to include any local PHP file via the slug parameter. The Jupiter theme has a nearly identical vulnerability which can be exploited via the mka_cp_load_pane_action AJAX action present in the framework/admin/control-panel/logic/functions.php file, which calls the mka_cp_load_pane_action function.

Las versiones vulnerables de los Temas Jupiter (versiones anteriores a 6.10.1 incluyéndolas) y JupiterX (versiones anteriores a 2.0.6 incluyéndola) permiten a usuarios con sesión iniciada, incluidos los de nivel de suscriptor, llevar a cabo un Salto de Ruta y una inclusión de Archivos Locales. En el tema JupiterX, la acción AJAX jupiterx_cp_load_pane_action presente en el archivo lib/admin/control-panel/control-panel.php llama a la función load_control_panel_pane. Es posible usar esta acción para incluir cualquier archivo PHP local por medio del parámetro slug. El tema Jupiter presenta una vulnerabilidad casi idéntica que puede ser explotada por medio de la acción AJAX mka_cp_load_pane_action presente en el archivo framework/admin/control-panel/logic/functions.php, que llama a la función mka_cp_load_pane_action

Vulnerable versions of the Jupiter and JupiterX Themes allow logged-in users, including subscriber-level users, to perform Path Traversal and Local File inclusion. In the JupiterX theme, the jupiterx_cp_load_pane_action AJAX action present in the lib/admin/control-panel/control-panel.php file calls the load_control_panel_pane function. It is possible to use this action to include any local PHP file via the slug parameter. The Jupiter theme has a nearly identical vulnerability which can be exploited via the mka_cp_load_pane_action AJAX action present in the framework/admin/control-panel/logic/functions.php file, which calls the mka_cp_load_pane_action function.

Jupiter Theme versions 6.10.1 and below as well as JupiterX Core plugin versions 2.0.7 and below suffer from privilege escalation and post deletion vulnerabilities. JupiterX Theme versions 2.0.6 and below as well as JupiterX Core versions 2.0.6 and below suffer from plugin deactivation and setting modification flaws. JupiterX Theme versions 2.0.6 and below as well as Jupiter Theme versions 6.10.1 and below suffer from path traversal and local file inclusion vulnerabilities. Jupiter Theme versions 6.10.1 and below suffer from an arbitrary plugin deletion vulnerability. JupiterX Core plugin versions 2.0.6 and below suffer from information disclosure, modification, and denial of service vulnerabilities.

*Credits: Ramuel Gall, Wordfence

CVSS Scores

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

None

Attack Vector

Network

Attack Complexity

Low

Authentication

Single

Confidentiality

Partial

Integrity

Partial

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:Track*

Exploitation

None

Automatable

Tech. Impact

Total

* Organization's Worst-case Scenario

Timeline

2022-05-10 CVE Reserved
2022-05-18 CVE Published
2025-02-13 CVE Updated
2025-02-13 First Exploit
2025-03-30 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

CAPEC

References (1)

URL	Tag	Source

URL	Date	SRC
https://www.wordfence.com/blog/2022/05/critical-privilege-escalation-vulnerability-in-jupiter-and-jupiterx-premium-themes	2025-02-13

URL	Date	SRC

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Artbees Search vendor "Artbees"		Jupiter Search vendor "Artbees" for product "Jupiter"				<= 6.10.1 Search vendor "Artbees" for product "Jupiter" and version " <= 6.10.1"		wordpress		Affected
Artbees Search vendor "Artbees"		Jupiterx Search vendor "Artbees" for product "Jupiterx"				<= 2.0.6 Search vendor "Artbees" for product "Jupiterx" and version " <= 2.0.6"		wordpress		Affected