{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-3533", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-03-04T17:02:05.798Z", "datePublished": "2026-03-23T23:25:49.341Z", "dateUpdated": "2026-04-08T17:00:24.847Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:00:24.847Z"}, "affected": [{"vendor": "artbees", "product": "Jupiter X Core", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "4.14.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Jupiter X Core plugin for WordPress is vulnerable to limited file uploads due to missing authorization on import_popup_templates() function as well as insufficient file type validation in the upload_files() function in all versions up to, and including, 4.14.1. This makes it possible for Authenticated attackers with Subscriber-level access and above, to upload files with dangerous types that can lead to Remote Code Execution on servers configured to handle .phar files as executable PHP (e.g., Apache+mod_php), or Stored Cross-Site Scripting via .svg, .dfxp, or .xhtml files upload on any server configuration"}], "title": "JupiterX Core <= 4.14.1 - Authenticated (Subscriber+) Missing Authorization To Limited File Upload via Popup Template Import", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/70bc5247-525d-4aae-9d66-efd65c9beee3?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/jupiterx-core/trunk/includes/control-panel-2/includes/class-popup.php?rev=3430169#138"}, {"url": "https://plugins.trac.wordpress.org/browser/jupiterx-core/trunk/includes/extensions/raven/includes/modules/forms/fields/file.php?rev=3430169#L214"}, {"url": "https://plugins.trac.wordpress.org/browser/jupiterx-core/trunk/includes/extensions/raven/includes/modules/forms/classes/ajax-handler.php?rev=3430169#L434"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-434 Unrestricted Upload of File with Dangerous Type", "cweId": "CWE-434", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH"}}], "credits": [{"lang": "en", "type": "finder", "value": "Jack Pas"}], "timeline": [{"time": "2026-02-21T00:00:00.000Z", "lang": "en", "value": "Discovered"}, {"time": "2026-03-11T14:23:46.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-03-23T10:26:58.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-24T13:33:50.980187Z", "id": "CVE-2026-3533", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-24T13:34:06.899Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-3533", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-24T13:33:50.980187Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-24T13:34:01.015Z"}}], "cna": {"title": "JupiterX Core <= 4.14.1 - Authenticated (Subscriber+) Missing Authorization To Limited File Upload via Popup Template Import", "credits": [{"lang": "en", "type": "finder", "value": "Jack Pas"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 8.8, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}}], "affected": [{"vendor": "artbees", "product": "Jupiter X Core", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "4.14.1"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-02-21T00:00:00.000Z", "value": "Discovered"}, {"lang": "en", "time": "2026-03-11T14:23:46.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-03-23T10:26:58.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/70bc5247-525d-4aae-9d66-efd65c9beee3?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/jupiterx-core/trunk/includes/control-panel-2/includes/class-popup.php?rev=3430169#138"}, {"url": "https://plugins.trac.wordpress.org/browser/jupiterx-core/trunk/includes/extensions/raven/includes/modules/forms/fields/file.php?rev=3430169#L214"}, {"url": "https://plugins.trac.wordpress.org/browser/jupiterx-core/trunk/includes/extensions/raven/includes/modules/forms/classes/ajax-handler.php?rev=3430169#L434"}], "descriptions": [{"lang": "en", "value": "The Jupiter X Core plugin for WordPress is vulnerable to limited file uploads due to missing authorization on import_popup_templates() function as well as insufficient file type validation in the upload_files() function in all versions up to, and including, 4.14.1. This makes it possible for Authenticated attackers with Subscriber-level access and above, to upload files with dangerous types that can lead to Remote Code Execution on servers configured to handle .phar files as executable PHP (e.g., Apache+mod_php), or Stored Cross-Site Scripting via .svg, .dfxp, or .xhtml files upload on any server configuration"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-434", "description": "CWE-434 Unrestricted Upload of File with Dangerous Type"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:00:24.847Z"}}}, "cveMetadata": {"cveId": "CVE-2026-3533", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:00:24.847Z", "dateReserved": "2026-03-04T17:02:05.798Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-03-23T23:25:49.341Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Jupiter X Core plugin for WordPress is vulnerable to limited file uploads due to missing authorization on import_popup_templates() function as well as insufficient file type validation in the upload_files() function in all versions up to, and including, 4.14.1. This makes it possible for Authenticated attackers with Subscriber-level access and above, to upload files with dangerous types that can lead to Remote Code Execution on servers configured to handle .phar files as executable PHP (e.g., Apache+mod_php), or Stored Cross-Site Scripting via .svg, .dfxp, or .xhtml files upload on any server configuration"}, {"lang": "es", "value": "El plugin Jupiter X Core para WordPress es vulnerable a cargas de archivos limitadas debido a la falta de autorizaci\u00f3n en la funci\u00f3n import_popup_templates() as\u00ed como a una validaci\u00f3n insuficiente del tipo de archivo en la funci\u00f3n upload_files() en todas las versiones hasta la 4.14.1, inclusive. Esto hace posible que atacantes autenticados con acceso de nivel Suscriptor y superior, carguen archivos con tipos peligrosos que pueden conducir a la ejecuci\u00f3n remota de c\u00f3digo en servidores configurados para manejar archivos .phar como PHP ejecutable (por ejemplo, Apache+mod_php), o a cross-site scripting almacenado a trav\u00e9s de la carga de archivos .svg, .dfxp o .xhtml en cualquier configuraci\u00f3n de servidor."}], "id": "CVE-2026-3533", "lastModified": "2026-04-24T16:32:53.997", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-03-24T00:16:30.867", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/jupiterx-core/trunk/includes/control-panel-2/includes/class-popup.php?rev=3430169#138"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/jupiterx-core/trunk/includes/extensions/raven/includes/modules/forms/classes/ajax-handler.php?rev=3430169#L434"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/jupiterx-core/trunk/includes/extensions/raven/includes/modules/forms/fields/file.php?rev=3430169#L214"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/70bc5247-525d-4aae-9d66-efd65c9beee3?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-434"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,*]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Jupiter X Core", "source": "cna", "vendor": "artbees"}, "product": "jupiter_x_core", "vendor": "artbees"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-03-24T04:06:58.061100+00:00", "value": {"mitigation_remediation": ["Verify the installed version of the Jupiter X Core plugin. If it is 4.14.1 or earlier, plan an upgrade to the latest release that includes the vulnerability fix.", "If an immediate upgrade is not possible, disable the import_popup_templates feature through the plugin settings or by removing the associated code from the plugin files, and consider disabling the form upload handler.", "Implement server\u2011side file\u2011type restrictions to block uploads of .phar, .svg, .dfxp, and .xhtml files, or configure the web server to serve these files as static assets and prevent execution.", "Monitor the WordPress security forums and the plugin\u2019s update channel for any new advisories or patch releases.", "Consider removing the Jupiter X Core plugin if the website no longer requires its functionality, to eliminate the risk entirely."], "summary": {"action": "Immediate patch", "impact": "Remote code execution via file upload"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the Jupiter X Core plugin for WordPress, produced by artbees, in all released versions up to and including 4.14.1. No other product or version is currently listed as impacted.", "description_and_impact": "A missing authorization check in the import_popup_templates function and insufficient file type validation in the upload_files function allow an authenticated user with Subscriber-level access or higher to upload files that the WordPress server may treat as executable code. Uploading a .phar file could trigger PHP execution if the server handles .phar files as PHP scripts, while uploading SVG, DFXP, or XHTML files may lead to stored cross\u2011site scripting. This flaw, identified as CWE\u2011434, exposes the site to significant confidentiality, integrity, and availability risks.", "risk_and_exploitability": "The vulnerability scores a high CVSS of 8.8, indicating considerable severity, and it is not listed in the CISA KEV catalog. Exploitation requires authentication and a Subscriber or higher role; after gaining upload privileges, an attacker can place a malicious file near the web root or in a location served by the server. If the server auto\u2011executes .phar files or renders .svg/.xhtml files without sanitization, code execution or XSS can be achieved. The attack path is straightforward for anyone with subscriber access who is not already restricted by the site\u2019s configuration."}}}}, "created": "2026-03-24T10:29:55.805151+00:00", "updated": "2026-03-25T20:36:03.315064+00:00", "vendors": ["artbees", "artbees$PRODUCT$jupiter_x_core", "wordpress", "wordpress$PRODUCT$wordpress"]}