Security News > 2022 > May > Critical Jupiter WordPress plugin flaws let hackers take over sites
WordPress security analysts have discovered a set of vulnerabilities impacting the Jupiter Theme and JupiterX Core plugins for WordPress, one of which is a critical privilege escalation flaw.
Jupiter is a powerful high-quality theme builder for WordPress sites used by over 90,000 popular blogs, online mags, and platforms that enjoy heavy user traffic.
The versions impacted by CVE-2022-1654 are Jupiter Theme version 6.10.1 and older, JupiterX Theme version 2.0.6 and older, and JupiterX Core Plugin version 2.0.7 and older.
The only way to address the security problems is to update to the latest available versions as soon as possible or deactivate the plugin and replace your site's theme.
CVE-2022-1656: Medium severity arbitrary plugin deactivation and settings modification.
CVE-2022-1658: Medium severity arbitrary plugin deletion.
News URL
Related news
- Iranian hackers act as brokers selling critical infrastructure access (source)
- LiteSpeed Cache WordPress plugin bug lets hackers get admin access (source)
- Hackers target critical zero-day vulnerability in PTZ cameras (source)
- Urgent: Critical WordPress Plugin Vulnerability Exposes Over 4 Million Sites (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2022-06-13 | CVE-2022-1658 | Unspecified vulnerability in Artbees Jupiter 6.10.1 Vulnerable versions of the Jupiter Theme (<= 6.10.1) allow arbitrary plugin deletion by any authenticated user, including users with the subscriber role, via the abb_remove_plugin AJAX action registered in the framework/admin/control-panel/logic/plugin-management.php file. | 5.4 |
| 2022-06-13 | CVE-2022-1654 | Unspecified vulnerability in Artbees Jupiter and Jupiterx Jupiter Theme <= 6.10.1 and JupiterX Core Plugin <= 2.0.7 allow any authenticated attacker, including a subscriber or customer-level attacker, to gain administrative privileges via the "abb_uninstall_template" (both) and "jupiterx_core_cp_uninstall_template" (JupiterX Core Only) AJAX actions | 8.8 |
| 2022-06-13 | CVE-2022-1656 | Unspecified vulnerability in Artbees Jupiter X Core and Jupiterx Vulnerable versions of the JupiterX Theme (<=2.0.6) allow any logged-in user, including subscriber-level users, to access any of the functions registered in lib/api/api/ajax.php, which also grant access to the jupiterx_api_ajax_ actions registered by the JupiterX Core Plugin (<=2.0.6). | 5.4 |