CVE-2022-1656 Information

Description

Vulnerable versions of the JupiterX Theme (<=2.0.6) allow any logged-in user including subscriber-level users to access any of the functions registered in lib/api/api/ajax.php which also grant access to the jupiterx_api_ajax_ actions registered by the JupiterX Core Plugin (<=2.0.6). This includes the ability to deactivate arbitrary plugins as well as update the theme’s API key.

Reference

https://www.wordfence.com/blog/2022/05/critical-privilege-escalation-vulnerability-in-jupiter-and-jupiterx-premium-themes/