WordPress Plugin Vulnerabilities

Jupiter X Core < 4.6.9 - Unauthenticated Arbitrary File Download

Description

The plugin does not have authorisation checks and does not validate file paths in the handle_file_download function, allowing unauthenticated users to download arbitrary files from the server when the premium version of the plugin is activated

Affects Plugins

Plugin icon
jupiterx-core
Fixed in 4.6.9

References

CVE
CVE-2023-3813
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/f767d94b-fe92-4b69-9d81-96de51e12983

Classification

Type
FILE DOWNLOAD
OWASP top 10
A1: Injection
CWE
CWE-552
CVSS
7.5 (high)

Miscellaneous

Original Researcher
Lana Codes
Verified
Yes
WPVDB ID
6f3f0822-10b3-42c2-a491-4be35912b9fa

Timeline

Publicly Published
2023-07-20 (about 2 years ago)
Added
2023-07-24 (about 2 years ago)
Last Updated
2024-09-24 (about 1 year ago)

Other

Published
Title
Published
2022-12-05
Title
Welcart e-Commerce < 2.8.5 - Unauthenticated Arbitrary File Access
Published
2021-08-31
Title
DZS Zoomsounds < 6.50 - Unauthenticated Arbitrary File Download
Published
2019-06-02
Title
Simple File List < 3.2.8 - Unauthenticated Arbitrary File Download
Published
2022-11-10
Title
S2W - Import Shopify to WooCommerce < 1.1.13 - Admin+ Arbitrary File Access
Published
2025-11-10
Title
Auto Amazon Links – Amazon Associates Affiliate Plugin <= 5.4.3 - Unauthenticated Arbitrary File Read