Home

Description

The Jupiter X Core plugin for WordPress is vulnerable to limited file uploads due to missing authorization on import_popup_templates() function as well as insufficient file type validation in the upload_files() function in all versions up to, and including, 4.14.1. This makes it possible for Authenticated attackers with Subscriber-level access and above, to upload files with dangerous types that can lead to Remote Code Execution on servers configured to handle .phar files as executable PHP (e.g., Apache+mod_php), or Stored Cross-Site Scripting via .svg, .dfxp, or .xhtml files upload on any server configuration

PUBLISHED Reserved 2026-03-04 | Published 2026-03-23 | Updated 2026-04-08 | Assigner Wordfence




HIGH: 8.8CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Problem types

CWE-434 Unrestricted Upload of File with Dangerous Type

Product status

Default status
unaffected

Any version
affected

Timeline

2026-02-21:Discovered
2026-03-11:Vendor Notified
2026-03-23:Disclosed

Credits

Jack Pas finder

References

www.wordfence.com/...-525d-4aae-9d66-efd65c9beee3?source=cve

plugins.trac.wordpress.org/...es/class-popup.php?rev=3430169

plugins.trac.wordpress.org/...ms/fields/file.php?rev=3430169

plugins.trac.wordpress.org/...s/ajax-handler.php?rev=3430169

cve.org (CVE-2026-3533)

nvd.nist.gov (CVE-2026-3533)

Download JSON