Jupiter X Core WordPress plugin could let hackers hijack sites - BleepingComputer
2023-08-24 12:58 (EST)
Two vulnerabilities affecting some version of Jupiter X Core, a premium plugin for setting up WordPress and WooCommerce websites, allow hijacking accounts and uploading files without authentication.
Jupiter X Core is an easy-to-use yet powerful visual editor, part of the Jupiter X theme, which is used in over 172,000 websites.
Rafie Muhammad, an analyst at WordPress security company Patchstack, discovered the two critical vulnerabilities and reported them to ArtBee, the developer of Jupiter X Core, who addressed the issues earlier this month.
Flaw details
The first vulnerability is identified as CVE-2023-38388 and allows uploading files without authentication, which could lead to executing arbitrary code on the server.
The security problem has received a severity score of 9.0 and impacts all JupiterX Core versions starting 3.3.5 below. The developer fixed the problem in version 3.3.8 of the plugin.
CVE-2023-38388 can be exploited because there are no authentication checks within the plugins upload_files function, which can be called from the frontend by anyone.
The vendors patch adds a check for the function and also activates a second check to prevent uploading risky file types.
Implemented file upload checks (Patchstack)
The second vulnerability, CVE-2023-38389, allows unauthenticated attackers to take control of any WordPress user account on the condition that they know the email address. It received a critical severity rating of 9.8 and impacts all versions of Jupiter X Core starting from 3.3.8 and below.
ArtBees fixed the problem on August 9 by releasing version 3.4.3. All users of the plugin are recommended to update the component to the latest release.
Rafie Muhammad explains that the underlying problem was that the ajax_handler function in the Facebook login process of the plugin allowed an unauthenticated user to set any WordPress users social-media-user-facebook-id meta with any value through the set_user_facebook_id function.
As this meta value is used for user authentication in WordPress, an attacker can abuse it to authenticate as any registered user on the site, including administrators, as long as they use the correct email address.
ArtBees solution is to fetch the required email address and unique user ID directly from Facebooks authentication endpoint, ensuring the legitimacy of the login process.
Part of the revamped Facebook login process (Patchstack)
Users of the JupiterX Core plugin are recommended to upgrade to version 3.4.3 as soon as possible to mitigate the severe risks posed by the two vulnerabilities.
At the time of writing we could not find any public reports about the two vulnerabilities being exploited in the wild.
