{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/jupiter-x-core/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Jupiter X Core","WordPress"],"_cs_severities":["critical"],"_cs_tags":["wordpress","plugin","rce","xss","file-upload"],"_cs_type":"advisory","_cs_vendors":["Jupiter"],"content_html":"\u003cp\u003eThe Jupiter X Core plugin for WordPress, a widely used theme customization tool, contains a critical vulnerability (CVE-2026-3533) affecting versions up to and including 4.14.1. This vulnerability stems from two key flaws: missing authorization checks on the \u003ccode\u003eimport_popup_templates()\u003c/code\u003e function and inadequate file type validation within the \u003ccode\u003eupload_files()\u003c/code\u003e function. This allows authenticated attackers with minimal privileges (subscriber-level access and above) to upload arbitrary files to the WordPress server. The vulnerability was published on March 24, 2026. Successful exploitation can lead to Remote Code Execution (RCE) on servers configured to execute .phar files as PHP code (e.g., Apache with mod_php) or Stored Cross-Site Scripting (XSS) via .svg, .dfxp, or .xhtml files on any server configuration. This poses a significant risk to WordPress websites using the Jupiter X Core plugin, potentially allowing attackers to gain complete control of the server.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains subscriber-level access to a WordPress website using the vulnerable Jupiter X Core plugin (\u0026lt;= 4.14.1). This could be achieved through compromised credentials or by registering a new user account if registration is enabled.\u003c/li\u003e\n\u003cli\u003eThe attacker authenticates to the WordPress admin panel.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the missing authorization in \u003ccode\u003eimport_popup_templates()\u003c/code\u003e to access file upload functionality that should be restricted to higher-level administrators.\u003c/li\u003e\n\u003cli\u003eThe attacker bypasses the insufficient file type validation in \u003ccode\u003eupload_files()\u003c/code\u003e, uploading a malicious .phar file disguised as a legitimate file type. Alternatively, they upload an .svg, .dfxp, or .xhtml file.\u003c/li\u003e\n\u003cli\u003eIf the server is configured to execute .phar files as PHP, the uploaded .phar file is executed, granting the attacker arbitrary code execution on the server.\u003c/li\u003e\n\u003cli\u003eAlternatively, the uploaded .svg, .dfxp, or .xhtml file is stored on the server.\u003c/li\u003e\n\u003cli\u003eWhen a user visits a page containing the uploaded file, the malicious script within the file is executed in their browser, leading to Stored Cross-Site Scripting (XSS).\u003c/li\u003e\n\u003cli\u003eThe attacker exploits the RCE to install malware, create backdoors, steal sensitive data, or deface the website. XSS can be used to steal admin credentials or redirect users to phishing sites.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-3533 can have severe consequences. For servers vulnerable to RCE via .phar uploads, attackers can gain complete control, leading to data breaches, malware infections, and website defacement. The Stored XSS vulnerability allows attackers to inject malicious scripts into the website, potentially compromising user accounts and spreading malware. Given the widespread use of WordPress and the Jupiter X Core plugin, a large number of websites are potentially vulnerable. While specific victim numbers are unavailable, the impact could be substantial, affecting businesses, organizations, and individuals who rely on WordPress for their online presence.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately update the Jupiter X Core plugin to the latest version (greater than 4.14.1) to patch CVE-2026-3533.\u003c/li\u003e\n\u003cli\u003eIf updating is not immediately feasible, disable the Jupiter X Core plugin temporarily as a mitigation measure.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious file uploads, specifically targeting .phar, .svg, .dfxp, and .xhtml file extensions. Use the provided Sigma rule \u003ccode\u003eDetectSuspiciousFileUploading\u003c/code\u003e to detect potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eReview WordPress user accounts and remove any unauthorized or suspicious accounts with subscriber-level access.\u003c/li\u003e\n\u003cli\u003eConfigure your web server to properly handle file uploads to prevent execution of uploaded files. Ensure that .phar files are not executed as PHP scripts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-30T12:00:00Z","date_published":"2024-01-30T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-jupiter-x-core-rce/","summary":"The Jupiter X Core plugin for WordPress is vulnerable to remote code execution and stored cross-site scripting due to missing authorization and insufficient file type validation in versions up to 4.14.1, allowing authenticated attackers with subscriber-level access to upload malicious files.","title":"Jupiter X Core WordPress Plugin Vulnerability Leads to Remote Code Execution","url":"https://feed.craftedsignal.io/briefs/2024-01-jupiter-x-core-rce/"}],"language":"en","title":"CraftedSignal Threat Feed - Jupiter X Core","version":"https://jsonfeed.org/version/1.1"}