JupiterX Core < 4.14.2 – Authenticated (Subscriber+) Missing Authorization To Limited File Upload via Popup Template Import | CVE 2026-3533 | Plugin Vulnerabilities

Description

The Jupiter X Core plugin for WordPress is vulnerable to limited file uploads due to missing authorization on import_popup_templates() function as well as insufficient file type validation in the upload_files() function in all versions up to, and including, 4.14.1. This makes it possible for Authenticated attackers with Subscriber-level access and above, to upload files with dangerous types that can lead to Remote Code Execution on servers configured to handle .phar files as executable PHP (e.g., Apache+mod_php), or Stored Cross-Site Scripting via .svg, .dfxp, or .xhtml files upload on any server configuration

Affects Plugins

Fixed in 4.14.2

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/70bc5247-525d-4aae-9d66-efd65c9beee3

Miscellaneous

Original Researcher

Jack Pas (Dark.)

Verified

No

WPVDB ID

db3b1659-b420-4b5b-ae3f-c19b337c92b5

Timeline

Publicly Published

2026-03-23 (about 3 months ago)

Added

2026-03-23 (about 3 months ago)

Last Updated

2026-03-24 (about 3 months ago)

Other

Published

Title

Published

2025-05-08

Title

ELEX WordPress HelpDesk & Customer Ticketing System < 3.3.0 - Subscriber+ Arbitrary File Upload

Published

2025-01-16

Title

user files <= 2.4.2 - Unauthenticated Arbitrary File Upload

Published

2025-09-05

Title

Multi Step Form < 1.7.26 - Authenticated (Admin+) Arbitrary File Upload

Published

2026-02-10

Title

Migration, Backup, Staging < 0.9.124 - Unauthenticated Arbitrary File Upload

Published

2015-03-16

Title

Reflex Gallery <= 3.1.3 - Arbitrary File Upload