Jupiter X Core
Approved changes feed: RSS · Atom
cpe:2.3:a:artbees:jupiter_x_core:*:*:*:*:*:wordpress:*:*
part: a version: * update: *
| Vendor | Artbees (d97133e8-eac9-55a9-afb7-f9bb6c27270c) |
|---|---|
| Product | Jupiter X Core (827d96c4-8444-52a4-a43f-cdfab8c38042) |
| Edition | * |
| Language | * |
| Software edition | * |
| Target software | wordpress |
| Target hardware | * |
| Other | * |
| Notes | Imported from gcve-enriched-dumps CVE data |
PURL mappings
| PURL | Source | Last updated |
|---|---|---|
| No PURL mappings for this CPE yet. | ||
Vulnerability references
| Identifier | cpeApplicability | Submitted | db.gcve.eu details | Rationale |
|---|---|---|---|---|
CVE:CVE-2025-3888 |
vulnerable | 2026-06-08 07:23:10.090711 |
Jupiterx Core <= 4.8.12 - Authenticated (Contributor+) Stored Cross-Site Scripting via Inline SVG
MEDIUM (6.4)
The Jupiter X Core plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File inclusion in all versions up to, and including, 4.8.12 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the page with the included SVG file.
Published: 2025-05-17T11:17:16.724Z
Updated: 2026-04-08T17:32:53.108Z Reference links
|
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-2105 |
vulnerable | 2026-06-08 07:14:58.029429 |
Jupiter X Core <= 4.8.11 - Unauthenticated PHP Object Injection via PHAR
HIGH (8.1)
The Jupiter X Core plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 4.8.11 via deserialization of untrusted input from the 'file' parameter of the 'raven_download_file' function. This makes it possible for attackers to inject a PHP Object through a PHAR file. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present. This vulnerability may be exploited by unauthenticated attackers when a form is present on the site with the file download action, and the ability to upload files is also present. Otherwise, this would be considered exploitable by Contributor-level users and above, because they could create the form needed to successfully exploit this.
Published: 2025-04-26T05:34:22.050Z
Updated: 2026-04-08T16:45:40.367Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-0366 |
vulnerable | 2026-06-08 07:02:24.460474 |
Jupiter X Core <= 4.8.7 - Authenticated (Contributor+) SVG Upload to Local File Inclusion (Remote Code Execution)
HIGH (8.8)
The Jupiter X Core plugin for WordPress is vulnerable to Local File Inclusion to Remote Code Execution in all versions up to, and including, 4.8.7 via the get_svg() function. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution. In this specific case, an attacker can create a form that allows SVG uploads, upload an SVG file with malicious content and then include the SVG file in a post to achieve remote code execution. This means it is relatively easy to gain remote code execution as a contributor-level user and above by default.
Published: 2025-02-01T05:30:37.253Z
Updated: 2026-04-08T16:38:01.625Z Reference links
|
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-0365 |
vulnerable | 2026-06-08 07:02:24.459987 |
Jupiterx Core <= 4.8.7 - Authenticated (Contributor+) Arbitrary File Read
MEDIUM (6.5)
The Jupiter X Core plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 4.8.7 via the inline SVG feature. This makes it possible for authenticated attackers, with Contributor-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information.
Published: 2025-02-01T05:30:37.677Z
Updated: 2026-04-08T17:25:40.376Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-7781 |
vulnerable | 2026-06-08 06:58:23.416185 |
Jupiter X Core <= 4.7.5 - Limited Unauthenticated Authentication Bypass to Account Takeover
HIGH (8.1)
The Jupiter X Core plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 4.7.5. This is due to improper authentication via the Social Login widget. This makes it possible for unauthenticated attackers to log in as the first user to have logged in with a social media account, including administrator accounts. Attackers can exploit the vulnerability even if the Social Login element has been disabled, as long as it was previously enabled and used. The vulnerability was partially patched in version 4.7.5, and fully patched in version 4.7.8.
Published: 2024-09-26T04:29:59.599Z
Updated: 2026-04-08T17:32:05.766Z Reference links
|
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-7772 |
vulnerable | 2026-06-08 06:58:23.403401 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-12316 |
vulnerable | 2026-06-08 06:23:51.706369 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-12033 |
vulnerable | 2026-06-08 06:23:51.036969 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-3813 |
vulnerable | 2026-06-08 06:09:40.591519 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-38394 |
vulnerable | 2026-06-08 06:08:17.806147 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-38389 |
vulnerable | 2026-06-08 06:08:17.797206 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-38388 |
vulnerable | 2026-06-08 06:08:17.796733 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-38385 |
vulnerable | 2026-06-08 06:08:17.792560 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-1656 |
vulnerable | 2026-06-08 05:39:13.646598 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
Contribute
You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.