vulnerability
WordPress Theme: jupiterx: CVE-2022-1657: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 7 | (AV:N/AC:L/Au:S/C:P/I:P/A:P) | May 18, 2022 | Dec 8, 2025 | Dec 8, 2025 |
Severity
7
CVSS
(AV:N/AC:L/Au:S/C:P/I:P/A:P)
Published
May 18, 2022
Added
Dec 8, 2025
Modified
Dec 8, 2025
Description
Vulnerable versions of the Jupiter and JupiterX Themes allow logged-in users, including subscriber-level users, to perform Path Traversal and Local File inclusion. In the JupiterX theme, the jupiterx_cp_load_pane_action AJAX action present in the lib/admin/control-panel/control-panel.php file calls the load_control_panel_pane function. It is possible to use this action to include any local PHP file via the slug parameter. The Jupiter theme has a nearly identical vulnerability which can be exploited via the mka_cp_load_pane_action AJAX action present in the framework/admin/control-panel/logic/functions.php file, which calls the mka_cp_load_pane_action function.
Solution
jupiterx-theme-cve-2022-1657
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.