Jupiter Plugin Flaws Enable Hackers to Hijack Websites

This article has been indexed from

CySecurity News – Latest Information Security and Hacking Incidents

 

According to WordPress security researchers, the Jupiter Theme and JupiterX Core plugins for the WordPress content management system have a variety of vulnerabilities. A major privilege escalation issue is one of these vulnerabilities. 
Privilege escalation is a malicious method that involves acquiring control of a user’s account that would otherwise be inaccessible to the present user by exploiting an app or OS flaw or configuration error. By obtaining these rights, a hostile actor can do a variety of actions on the operating system or server, such as executing instructions or assisting malware infection within the network, which can result in business disruption, sensitive data exposure, or system takeover. This is a violation of privilege. 
As per the source, “This vulnerability allows any authenticated attacker, including a subscriber or customer-level attacker, to gain administrative privileges and completely take over any site running either the Jupiter Theme or JupiterX Core Plugin. The JupiterX Core plugin is required for the JupiterX theme. The classic Jupiter Theme contains a function, uninstallTemplate, which is intended to reset a site after a template is uninstalled, but has the additional effect of elevating the user calling the function to an administrator role. In JupiterX, this functionality has been migrated to the JupiterX Core plugin. Vulnerable versions register AJAX actions but do not perform any capability checks or nonce ch

[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.

Read the original article:

Liked it? Take a second to support IT Security News on Patreon!
Become a patron at Patreon!