Description
The Jupiter X Core plugin for WordPress is vulnerable to limited file uploads due to missing authorization on import_popup_templates() function as well as insufficient file type validation in the upload_files() function in all versions up to, and including, 4.14.1. This makes it possible for Authenticated attackers with Subscriber-level access and above, to upload files with dangerous types that can lead to Remote Code Execution on servers configured to handle .phar files as executable PHP (e.g., Apache+mod_php), or Stored Cross-Site Scripting via .svg, .dfxp, or .xhtml files upload on any server configuration
Published: 2026-03-23
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote code execution via file upload
Action: Immediate patch
AI Analysis

Impact

A missing authorization check in the import_popup_templates function and insufficient file type validation in the upload_files function allow an authenticated user with Subscriber-level access or higher to upload files that the WordPress server may treat as executable code. Uploading a .phar file could trigger PHP execution if the server handles .phar files as PHP scripts, while uploading SVG, DFXP, or XHTML files may lead to stored cross‑site scripting. This flaw, identified as CWE‑434, exposes the site to significant confidentiality, integrity, and availability risks.

Affected Systems

The vulnerability affects the Jupiter X Core plugin for WordPress, produced by artbees, in all released versions up to and including 4.14.1. No other product or version is currently listed as impacted.

Risk and Exploitability

The vulnerability scores a high CVSS of 8.8, indicating considerable severity, and it is not listed in the CISA KEV catalog. Exploitation requires authentication and a Subscriber or higher role; after gaining upload privileges, an attacker can place a malicious file near the web root or in a location served by the server. If the server auto‑executes .phar files or renders .svg/.xhtml files without sanitization, code execution or XSS can be achieved. The attack path is straightforward for anyone with subscriber access who is not already restricted by the site’s configuration.

Generated by OpenCVE AI on March 24, 2026 at 04:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Verify the installed version of the Jupiter X Core plugin. If it is 4.14.1 or earlier, plan an upgrade to the latest release that includes the vulnerability fix.
  • If an immediate upgrade is not possible, disable the import_popup_templates feature through the plugin settings or by removing the associated code from the plugin files, and consider disabling the form upload handler.
  • Implement server‑side file‑type restrictions to block uploads of .phar, .svg, .dfxp, and .xhtml files, or configure the web server to serve these files as static assets and prevent execution.
  • Monitor the WordPress security forums and the plugin’s update channel for any new advisories or patch releases.
  • Consider removing the Jupiter X Core plugin if the website no longer requires its functionality, to eliminate the risk entirely.

Generated by OpenCVE AI on March 24, 2026 at 04:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 24 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 24 Mar 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Artbees
Artbees jupiter X Core
Wordpress
Wordpress wordpress
Vendors & Products Artbees
Artbees jupiter X Core
Wordpress
Wordpress wordpress

Tue, 24 Mar 2026 02:30:00 +0000

Type Values Removed Values Added
Description The Jupiter X Core plugin for WordPress is vulnerable to limited file uploads due to missing authorization on import_popup_templates() function as well as insufficient file type validation in the upload_files() function in all versions up to, and including, 4.14.1. This makes it possible for Authenticated attackers with Subscriber-level access and above, to upload files with dangerous types that can lead to Remote Code Execution on servers configured to handle .phar files as executable PHP (e.g., Apache+mod_php), or Stored Cross-Site Scripting via .svg, .dfxp, or .xhtml files upload on any server configuration
Title JupiterX Core <= 4.14.1 - Authenticated (Subscriber+) Missing Authorization To Limited File Upload via Popup Template Import
Weaknesses CWE-434
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Artbees Jupiter X Core
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:00:24.847Z

Reserved: 2026-03-04T17:02:05.798Z

Link: CVE-2026-3533

cve-icon Vulnrichment

Updated: 2026-03-24T13:34:01.015Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-24T00:16:30.867

Modified: 2026-03-24T15:53:48.067

Link: CVE-2026-3533

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T20:36:03Z

Weaknesses