CVE-2022-1656

Published: Jun 13, 2022Modified: Nov 21, 2024

5.4

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Exploitability: 2.8 / Impact: 2.5

Source: NVD

Description

Vulnerable versions of the JupiterX Theme (<=2.0.6) allow any logged-in user, including subscriber-level users, to access any of the functions registered in lib/api/api/ajax.php, which also grant access to the jupiterx_api_ajax_ actions registered by the JupiterX Core Plugin (<=2.0.6). This includes the ability to deactivate arbitrary plugins as well as update the theme’s API key.

Affected (2)

Products: Artbees: Jupiter X Core, Jupiterx

2 products

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Artbees Jupiter X Core	Up to 2.0.6
Artbees Jupiterx	Up to 2.0.6

Related CWEs

Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

References (2)

https://www.wordfence.com/blog/2022/05/critical-privilege-escalation-vulnerability-in-jupiter-and-jupiterx-premium-themes/

Source: security@wordfence.com

Third Party Advisory

https://www.wordfence.com/blog/2022/05/critical-privilege-escalation-vulnerability-in-jupiter-and-jupiterx-premium-themes/

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

Timeline

No history available yet.