WordPress Plugin Vulnerabilities

Jupiter X Core Premium < 3.4.3 - Unauthenticated Privilege Escalation

Description

The plugin does not properly validate users during the Facebook login process, allowing unauthenticated users to login as any user by knowing their email address

Affects Plugins

Plugin icon
jupiterx-core
Fixed in 3.4.3

References

CVE
CVE-2023-38389
URL
https://patchstack.com/articles/critical-vulnerabilities-patched-in-jupiter-x-core-plugin/

Classification

Type
PRIVESC
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-269
CVSS
9.8 (critical)

Miscellaneous

Original Researcher
Rafie Muhammad
Verified
Yes
WPVDB ID
a5d8c38c-a11f-4b0d-88f7-c52de269a05d

Timeline

Publicly Published
2023-08-22 (about 2 years ago)
Added
2023-08-24 (about 2 years ago)
Last Updated
2023-08-24 (about 2 years ago)

Other

Published
Title
Published
2024-07-01
Title
Ultimate Addons for Elementor < 1.36.32 - Authenticated (Contributor+) Privilege Escalation
Published
2020-06-11
Title
WordPress < 5.4.2 - Misuse of set-screen-option Leading to Privilege Escalation
Published
2019-08-03
Title
ND Donations < 1.4 - Unauthenticated Options Change
Published
2016-07-08
Title
Profile Builder < 2.4.1 - Privilege Escalation
Published
2024-11-15
Title
WP Video Robot <= 1.20.0 - Authenticated (Subscriber+) Privilege Escalation via User Meta Update