CVE-2026-3533: CWE-434 Unrestricted Upload of File with Dangerous Type in artbees Jupiter X Core
The Jupiter X Core plugin for WordPress is vulnerable to limited file uploads due to missing authorization on import_popup_templates() function as well as insufficient file type validation in the upload_files() function in all versions up to, and including, 4.14.1. This makes it possible for Authenticated attackers with Subscriber-level access and above, to upload files with dangerous types that can lead to Remote Code Execution on servers configured to handle .phar files as executable PHP (e.g., Apache+mod_php), or Stored Cross-Site Scripting via .svg, .dfxp, or .xhtml files upload on any server configuration
AI Analysis
Technical Summary
The Jupiter X Core plugin for WordPress suffers from a CWE-434 vulnerability involving unrestricted upload of files with dangerous types. The import_popup_templates() function lacks proper authorization checks, and the upload_files() function does not sufficiently validate file types. Authenticated attackers with at least Subscriber privileges can exploit this to upload malicious files. On servers configured to treat .phar files as executable PHP, this can lead to remote code execution. Additionally, uploading files such as .svg, .dfxp, or .xhtml can result in stored cross-site scripting attacks regardless of server configuration. This vulnerability affects all versions up to and including 4.14.1.
Potential Impact
Successful exploitation can lead to remote code execution on vulnerable server configurations, allowing attackers to execute arbitrary code with the privileges of the web server. Alternatively, it can enable stored cross-site scripting attacks, potentially compromising site visitors and administrators. The vulnerability requires authenticated access at Subscriber level or higher, which lowers the attack barrier compared to administrator-only flaws. The CVSS score of 8.8 reflects high impact on confidentiality, integrity, and availability.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict user roles that can upload files, and consider disabling or limiting the plugin's file upload features. Monitor for updates from the vendor and apply patches promptly once released. Avoid server configurations that treat .phar files as executable PHP if possible.
CVE-2026-3533: CWE-434 Unrestricted Upload of File with Dangerous Type in artbees Jupiter X Core
Description
The Jupiter X Core plugin for WordPress is vulnerable to limited file uploads due to missing authorization on import_popup_templates() function as well as insufficient file type validation in the upload_files() function in all versions up to, and including, 4.14.1. This makes it possible for Authenticated attackers with Subscriber-level access and above, to upload files with dangerous types that can lead to Remote Code Execution on servers configured to handle .phar files as executable PHP (e.g., Apache+mod_php), or Stored Cross-Site Scripting via .svg, .dfxp, or .xhtml files upload on any server configuration
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The Jupiter X Core plugin for WordPress suffers from a CWE-434 vulnerability involving unrestricted upload of files with dangerous types. The import_popup_templates() function lacks proper authorization checks, and the upload_files() function does not sufficiently validate file types. Authenticated attackers with at least Subscriber privileges can exploit this to upload malicious files. On servers configured to treat .phar files as executable PHP, this can lead to remote code execution. Additionally, uploading files such as .svg, .dfxp, or .xhtml can result in stored cross-site scripting attacks regardless of server configuration. This vulnerability affects all versions up to and including 4.14.1.
Potential Impact
Successful exploitation can lead to remote code execution on vulnerable server configurations, allowing attackers to execute arbitrary code with the privileges of the web server. Alternatively, it can enable stored cross-site scripting attacks, potentially compromising site visitors and administrators. The vulnerability requires authenticated access at Subscriber level or higher, which lowers the attack barrier compared to administrator-only flaws. The CVSS score of 8.8 reflects high impact on confidentiality, integrity, and availability.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict user roles that can upload files, and consider disabling or limiting the plugin's file upload features. Monitor for updates from the vendor and apply patches promptly once released. Avoid server configurations that treat .phar files as executable PHP if possible.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- Wordfence
- Date Reserved
- 2026-03-04T17:02:05.798Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 69c1d4a7f4197a8e3ba0b3eb
Added to database: 3/24/2026, 12:02:47 AM
Last enriched: 4/9/2026, 6:48:24 PM
Last updated: 5/1/2026, 5:20:51 PM
Views: 24
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.