Two critical vulnerabilities, CVE-2024-7772 and CVE-2024-7781, have been identified in the Jupiter X Core plugin, which is widely used on over 90,000 WordPress sites. These flaws allow for unauthenticated remote code execution and user account hijacking, including administrator accounts. If exploited, attackers could gain full control over a site or impersonate users, posing severe security and privacy risks.
Vulnerability IDs: CVE-2024-7772 & CVE-2024-7781
Severity: Critical (CVSS 9.8 for CVE-2024-7772)
Affected Software: Jupiter X Core Plugin for WordPress
Patched Version: 4.7.8
Date of Discovery: September 26, 2024
Reported by: Geo Void via Wordfence Bug Bounty Program
Technical Details
CVE-2024-7772: Arbitrary File Upload and Remote Code Execution (RCE)
- Type: Arbitrary File Upload
- Severity: Critical (CVSS 9.8)
- Vector: Network (Unauthenticated)
- Description: This flaw stems from insufficient file type validation, allowing attackers to upload malicious files that execute arbitrary code on the server, enabling full remote control of the compromised website.
CVE-2024-7781: Authentication Bypass and Account Takeover
- Type: Authentication Bypass
- Severity: High
- Vector: Network (Unauthenticated)
- Description: Due to improper handling in the Social Login widget, an attacker can log in as the first user who registered with social media credentials, even if Social Login has been disabled. This flaw allows unauthorized access to user accounts, including privileged administrator accounts.
Impact Analysis
If these vulnerabilities are exploited, attackers can achieve the following:
- Complete Site Takeover (CVE-2024-7772): Execute arbitrary code, modify files, delete data, and potentially inject malware or phishing pages.
- User Account Hijacking (CVE-2024-7781): Unauthorized access to user accounts, potentially escalating to administrative control and compromising sensitive user data.
Due to the severity of these vulnerabilities and the high risk of unauthenticated exploitation, Jupiter X Core plugin users face a significant security threat if they do not apply the patch immediately.
Mitigation Recommendations
Immediate Actions:
- Update the Jupiter X Core Plugin: All users should upgrade to version 4.7.8, which patches both vulnerabilities.
- Review Social Login Configuration: Ensure that all social login settings align with security best practices.
Additional Recommendations:
- Web Application Firewall (WAF): Employ a WAF to detect and block arbitrary file uploads and suspicious login attempts.
- Access Control: Regularly audit admin and user accounts for suspicious activity and enforce multi-factor authentication (MFA) where possible.
Long-term Hardening:
- Regular Plugin Security Audits: Conduct periodic reviews of plugins for vulnerabilities and disable any unnecessary features.
- File System Permissions: Limit permissions on sensitive files and directories to minimize the risk of unauthorized file uploads.
Proof of Concept (PoC)
Geo Void has published technical details on both vulnerabilities. PoCs demonstrate how attackers could exploit improper file validation for arbitrary code execution or bypass authentication by manipulating the Social Login widget, even when it is disabled. Full PoCs are available through responsible disclosure channels.
Action Required: Immediate update to version 4.7.8 of the Jupiter X Core plugin is essential to protect against these critical vulnerabilities.
