Approved changes feed: RSS · Atom

cpe:2.3:a:artbees:jupiter_x_core:*:*:*:*:*:*:*:*

part: a version: * update: *

VendorArtbees (d97133e8-eac9-55a9-afb7-f9bb6c27270c)
ProductJupiter X Core (827d96c4-8444-52a4-a43f-cdfab8c38042)
Edition*
Language*
Software edition*
Target software*
Target hardware*
Other*
NotesImported from gcve-enriched-dumps CVE data

PURL mappings

PURLSourceLast updated
No PURL mappings for this CPE yet.

Vulnerability references

IdentifiercpeApplicabilitySubmitteddb.gcve.eu detailsRationale
CVE:CVE-2026-3533 vulnerable 2026-06-08 08:01:18.932419 JupiterX Core <= 4.14.1 - Authenticated (Subscriber+) Missing Authorization To Limited File Upload via Popup Template Import
HIGH (8.8)
The Jupiter X Core plugin for WordPress is vulnerable to limited file uploads due to missing authorization on import_popup_templates() function as well as insufficient file type validation in the upload_files() function in all versions up to, and including, 4.14.1. This makes it possible for Authenticated attackers with Subscriber-level access and above, to upload files with dangerous types that can lead to Remote Code Execution on servers configured to handle .phar files as executable PHP (e.g., Apache+mod_php), or Stored Cross-Site Scripting via .svg, .dfxp, or .xhtml files upload on any server configuration
Published: 2026-03-23T23:25:49.341Z
Updated: 2026-04-08T17:00:24.847Z
Reference links
Imported from gcve-enriched-dumps CVE data
CVE:CVE-2025-3888 vulnerable 2026-06-08 07:23:10.089972 Jupiterx Core <= 4.8.12 - Authenticated (Contributor+) Stored Cross-Site Scripting via Inline SVG
MEDIUM (6.4)
The Jupiter X Core plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File inclusion in all versions up to, and including, 4.8.12 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the page with the included SVG file.
Published: 2025-05-17T11:17:16.724Z
Updated: 2026-04-08T17:32:53.108Z
Reference links
Imported from gcve-enriched-dumps CVE data
CVE:CVE-2025-2105 vulnerable 2026-06-08 07:14:58.028557 Jupiter X Core <= 4.8.11 - Unauthenticated PHP Object Injection via PHAR
HIGH (8.1)
The Jupiter X Core plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 4.8.11 via deserialization of untrusted input from the 'file' parameter of the 'raven_download_file' function. This makes it possible for attackers to inject a PHP Object through a PHAR file. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present. This vulnerability may be exploited by unauthenticated attackers when a form is present on the site with the file download action, and the ability to upload files is also present. Otherwise, this would be considered exploitable by Contributor-level users and above, because they could create the form needed to successfully exploit this.
Published: 2025-04-26T05:34:22.050Z
Updated: 2026-04-08T16:45:40.367Z
Reference links
Imported from gcve-enriched-dumps CVE data
CVE:CVE-2025-0366 vulnerable 2026-06-08 07:02:24.460432 Jupiter X Core <= 4.8.7 - Authenticated (Contributor+) SVG Upload to Local File Inclusion (Remote Code Execution)
HIGH (8.8)
The Jupiter X Core plugin for WordPress is vulnerable to Local File Inclusion to Remote Code Execution in all versions up to, and including, 4.8.7 via the get_svg() function. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution. In this specific case, an attacker can create a form that allows SVG uploads, upload an SVG file with malicious content and then include the SVG file in a post to achieve remote code execution. This means it is relatively easy to gain remote code execution as a contributor-level user and above by default.
Published: 2025-02-01T05:30:37.253Z
Updated: 2026-04-08T16:38:01.625Z
Reference links
Imported from gcve-enriched-dumps CVE data
CVE:CVE-2025-0365 vulnerable 2026-06-08 07:02:24.458827 Jupiterx Core <= 4.8.7 - Authenticated (Contributor+) Arbitrary File Read
MEDIUM (6.5)
The Jupiter X Core plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 4.8.7 via the inline SVG feature. This makes it possible for authenticated attackers, with Contributor-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information.
Published: 2025-02-01T05:30:37.677Z
Updated: 2026-04-08T17:25:40.376Z
Reference links
Imported from gcve-enriched-dumps CVE data
CVE:CVE-2024-7781 vulnerable 2026-06-08 06:58:23.416224 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data
CVE:CVE-2024-7772 vulnerable 2026-06-08 06:58:23.404031 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data
CVE:CVE-2024-12316 vulnerable 2026-06-08 06:23:51.706327 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data
CVE:CVE-2024-12033 vulnerable 2026-06-08 06:23:51.035934 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data
CVE:CVE-2023-3813 vulnerable 2026-06-08 06:09:40.590569 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data
CVE:CVE-2022-1659 vulnerable 2026-06-08 05:39:13.648652 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data
CVE:CVE-2022-1656 vulnerable 2026-06-08 05:39:13.644850 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data
CVE:CVE-2022-1654 vulnerable 2026-06-08 05:39:13.637372 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data

Contribute

You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.