What the vulnerability does
01Description
The Jupiter X Core plugin for WordPress is vulnerable to limited file uploads due to missing authorization on import_popup_templates() function as well as insufficient file type validation in the upload_files() function in all versions up to, and including, 4.14.1. This makes it possible for Authenticated attackers with Subscriber-level access and above, to upload files with dangerous types that can lead to Remote Code Execution on servers configured to handle .phar files as executable PHP (e.g., Apache+mod_php), or Stored Cross-Site Scripting via .svg, .dfxp, or .xhtml files upload on any server configuration
Explanation of Vulnerability in Simple Terms
02Summary
Jupiter X Core versions up to 4.14.1 contain an unrestricted file upload vulnerability. An authenticated user with low privileges can upload arbitrary files to the site without proper validation. This can lead to remote code execution, data theft, or site compromise. Update to a version newer than 4.14.1.
What an attacker can do
03Attacker Capabilities
Upload arbitrary files and execute code on the site.
Potential impact on your site
04Site Impact
Compromised site integrity, data theft, or complete takeover via uploaded malicious files.
Conditions required to exploit
05Prerequisites
Attacker must have a low-privilege authenticated account on the site.
Key dates
06Disclosure timeline
March 23, 2026
CVE published
April 8, 2026
Record updated