Description
Subscriber Cross Site Scripting (XSS) in JupiterX Core <= 4.14.1 versions.
Published: 2026-06-15
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

JupiterX Core plugin versions up to 4.14.1 contain a Subscriber Cross Site Scripting flaw. The vulnerability permits the injection of malicious scripts into subscriber‑related content, potentially causing unintended JavaScript execution in browsers that view that data. Unlike a purely reflected XSS, the attack likely targets data stored or displayed to site users, which could lead to cookie theft, session hijacking, or defacement of the site. Based on the description, the attacker may need access to the WordPress administration interface to inject the payload, although the exact exploitation path is not detailed in the data and is therefore inferred.

Affected Systems

WordPress sites that have the Artbees JupiterX Core plugin installed, particularly those on or below version 4.14.1. This includes any WordPress deployment that uses the plugin to manage or display subscriber information.

Risk and Exploitability

The CVSS score of 6.5 classifies the flaw as having moderate severity, while the EPSS score of less than 1% indicates a low likelihood of exploitation at present. The vulnerability is not listed in the CISA KEV catalog, which suggests it is not a widely exploited or prioritized threat. Nonetheless, because the flaw involves client‑side script execution, it can give an attacker a foothold in the browsers of site visitors or administrators if the plugin allows arbitrary input. The risk is mitigated primarily by applying the vendor’s fix, but the moderate score underlines the importance of addressing it without delay.

Generated by OpenCVE AI on June 16, 2026 at 20:47 UTC.

Remediation

Vendor Solution

Update the WordPress JupiterX Core Plugin to the latest available version (at least 4.14.2).

OpenCVE Recommended Actions

  • Upgrade the JupiterX Core plugin to version 4.14.2 or later, which contains the authoritative fix
  • Ensure that any subscriber‑related pages or emails are inspected for unexpected script tags or malicious content after the update
  • Monitor WordPress logs for signs of attempted script injection or abnormal subscriber data usage, and consider temporarily disabling subscription features if the update cannot be applied immediately

Generated by OpenCVE AI on June 16, 2026 at 20:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 16 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 16 Jun 2026 06:30:00 +0000

Type Values Removed Values Added
First Time appeared Artbees
Artbees jupiter X Core
Wordpress
Wordpress wordpress
Vendors & Products Artbees
Artbees jupiter X Core
Wordpress
Wordpress wordpress

Mon, 15 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Description Subscriber Cross Site Scripting (XSS) in JupiterX Core <= 4.14.1 versions.
Title WordPress JupiterX Core plugin <= 4.14.1 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Artbees Jupiter X Core
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-16T14:35:13.188Z

Reserved: 2026-04-07T10:47:37.759Z

Link: CVE-2026-39491

cve-icon Vulnrichment

Updated: 2026-06-16T14:30:16.262Z

cve-icon NVD

Status : Deferred

Published: 2026-06-15T21:16:44.740

Modified: 2026-06-15T21:24:32.790

Link: CVE-2026-39491

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-16T21:00:12Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')