<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Jupiter - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/vendors/jupiter/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Tue, 30 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/vendors/jupiter/feed.xml" rel="self" type="application/rss+xml"/><item><title>Jupiter X Core WordPress Plugin Vulnerability Leads to Remote Code Execution</title><link>https://feed.craftedsignal.io/briefs/2024-01-jupiter-x-core-rce/</link><pubDate>Tue, 30 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-jupiter-x-core-rce/</guid><description>The Jupiter X Core plugin for WordPress is vulnerable to remote code execution and stored cross-site scripting due to missing authorization and insufficient file type validation in versions up to 4.14.1, allowing authenticated attackers with subscriber-level access to upload malicious files.</description><content:encoded><![CDATA[<p>The Jupiter X Core plugin for WordPress, a widely used theme customization tool, contains a critical vulnerability (CVE-2026-3533) affecting versions up to and including 4.14.1. This vulnerability stems from two key flaws: missing authorization checks on the <code>import_popup_templates()</code> function and inadequate file type validation within the <code>upload_files()</code> function. This allows authenticated attackers with minimal privileges (subscriber-level access and above) to upload arbitrary files to the WordPress server. The vulnerability was published on March 24, 2026. Successful exploitation can lead to Remote Code Execution (RCE) on servers configured to execute .phar files as PHP code (e.g., Apache with mod_php) or Stored Cross-Site Scripting (XSS) via .svg, .dfxp, or .xhtml files on any server configuration. This poses a significant risk to WordPress websites using the Jupiter X Core plugin, potentially allowing attackers to gain complete control of the server.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker gains subscriber-level access to a WordPress website using the vulnerable Jupiter X Core plugin (&lt;= 4.14.1). This could be achieved through compromised credentials or by registering a new user account if registration is enabled.</li>
<li>The attacker authenticates to the WordPress admin panel.</li>
<li>The attacker leverages the missing authorization in <code>import_popup_templates()</code> to access file upload functionality that should be restricted to higher-level administrators.</li>
<li>The attacker bypasses the insufficient file type validation in <code>upload_files()</code>, uploading a malicious .phar file disguised as a legitimate file type. Alternatively, they upload an .svg, .dfxp, or .xhtml file.</li>
<li>If the server is configured to execute .phar files as PHP, the uploaded .phar file is executed, granting the attacker arbitrary code execution on the server.</li>
<li>Alternatively, the uploaded .svg, .dfxp, or .xhtml file is stored on the server.</li>
<li>When a user visits a page containing the uploaded file, the malicious script within the file is executed in their browser, leading to Stored Cross-Site Scripting (XSS).</li>
<li>The attacker exploits the RCE to install malware, create backdoors, steal sensitive data, or deface the website. XSS can be used to steal admin credentials or redirect users to phishing sites.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of CVE-2026-3533 can have severe consequences. For servers vulnerable to RCE via .phar uploads, attackers can gain complete control, leading to data breaches, malware infections, and website defacement. The Stored XSS vulnerability allows attackers to inject malicious scripts into the website, potentially compromising user accounts and spreading malware. Given the widespread use of WordPress and the Jupiter X Core plugin, a large number of websites are potentially vulnerable. While specific victim numbers are unavailable, the impact could be substantial, affecting businesses, organizations, and individuals who rely on WordPress for their online presence.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Immediately update the Jupiter X Core plugin to the latest version (greater than 4.14.1) to patch CVE-2026-3533.</li>
<li>If updating is not immediately feasible, disable the Jupiter X Core plugin temporarily as a mitigation measure.</li>
<li>Monitor web server logs for suspicious file uploads, specifically targeting .phar, .svg, .dfxp, and .xhtml file extensions. Use the provided Sigma rule <code>DetectSuspiciousFileUploading</code> to detect potential exploitation attempts.</li>
<li>Review WordPress user accounts and remove any unauthorized or suspicious accounts with subscriber-level access.</li>
<li>Configure your web server to properly handle file uploads to prevent execution of uploaded files. Ensure that .phar files are not executed as PHP scripts.</li>
</ul>
]]></content:encoded><category domain="severity">critical</category><category domain="type">advisory</category><category>wordpress</category><category>plugin</category><category>rce</category><category>xss</category><category>file-upload</category></item></channel></rss>