Approved changes feed: RSS · Atom

cpe:2.3:a:artbees:jupiter_x_core:*:*:*:*:*:wordpress:*:*

part: a version: * update: *

VendorArtbees (d97133e8-eac9-55a9-afb7-f9bb6c27270c)
ProductJupiter X Core (827d96c4-8444-52a4-a43f-cdfab8c38042)
Edition*
Language*
Software edition*
Target softwarewordpress
Target hardware*
Other*
NotesImported from gcve-enriched-dumps CVE data

PURL mappings

PURLSourceLast updated
No PURL mappings for this CPE yet.

Vulnerability references

IdentifiercpeApplicabilitySubmitteddb.gcve.eu detailsRationale
CVE:CVE-2025-3888 vulnerable 2026-06-08 07:23:10.090711 Jupiterx Core <= 4.8.12 - Authenticated (Contributor+) Stored Cross-Site Scripting via Inline SVG
MEDIUM (6.4)
The Jupiter X Core plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File inclusion in all versions up to, and including, 4.8.12 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the page with the included SVG file.
Published: 2025-05-17T11:17:16.724Z
Updated: 2026-04-08T17:32:53.108Z
Reference links
Imported from gcve-enriched-dumps CVE data
CVE:CVE-2025-2105 vulnerable 2026-06-08 07:14:58.029429 Jupiter X Core <= 4.8.11 - Unauthenticated PHP Object Injection via PHAR
HIGH (8.1)
The Jupiter X Core plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 4.8.11 via deserialization of untrusted input from the 'file' parameter of the 'raven_download_file' function. This makes it possible for attackers to inject a PHP Object through a PHAR file. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present. This vulnerability may be exploited by unauthenticated attackers when a form is present on the site with the file download action, and the ability to upload files is also present. Otherwise, this would be considered exploitable by Contributor-level users and above, because they could create the form needed to successfully exploit this.
Published: 2025-04-26T05:34:22.050Z
Updated: 2026-04-08T16:45:40.367Z
Reference links
Imported from gcve-enriched-dumps CVE data
CVE:CVE-2025-0366 vulnerable 2026-06-08 07:02:24.460474 Jupiter X Core <= 4.8.7 - Authenticated (Contributor+) SVG Upload to Local File Inclusion (Remote Code Execution)
HIGH (8.8)
The Jupiter X Core plugin for WordPress is vulnerable to Local File Inclusion to Remote Code Execution in all versions up to, and including, 4.8.7 via the get_svg() function. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution. In this specific case, an attacker can create a form that allows SVG uploads, upload an SVG file with malicious content and then include the SVG file in a post to achieve remote code execution. This means it is relatively easy to gain remote code execution as a contributor-level user and above by default.
Published: 2025-02-01T05:30:37.253Z
Updated: 2026-04-08T16:38:01.625Z
Reference links
Imported from gcve-enriched-dumps CVE data
CVE:CVE-2025-0365 vulnerable 2026-06-08 07:02:24.459987 Jupiterx Core <= 4.8.7 - Authenticated (Contributor+) Arbitrary File Read
MEDIUM (6.5)
The Jupiter X Core plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 4.8.7 via the inline SVG feature. This makes it possible for authenticated attackers, with Contributor-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information.
Published: 2025-02-01T05:30:37.677Z
Updated: 2026-04-08T17:25:40.376Z
Reference links
Imported from gcve-enriched-dumps CVE data
CVE:CVE-2024-7781 vulnerable 2026-06-08 06:58:23.416185 Jupiter X Core <= 4.7.5 - Limited Unauthenticated Authentication Bypass to Account Takeover
HIGH (8.1)
The Jupiter X Core plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 4.7.5. This is due to improper authentication via the Social Login widget. This makes it possible for unauthenticated attackers to log in as the first user to have logged in with a social media account, including administrator accounts. Attackers can exploit the vulnerability even if the Social Login element has been disabled, as long as it was previously enabled and used. The vulnerability was partially patched in version 4.7.5, and fully patched in version 4.7.8.
Published: 2024-09-26T04:29:59.599Z
Updated: 2026-04-08T17:32:05.766Z
Reference links
Imported from gcve-enriched-dumps CVE data
CVE:CVE-2024-7772 vulnerable 2026-06-08 06:58:23.403401 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data
CVE:CVE-2024-12316 vulnerable 2026-06-08 06:23:51.706369 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data
CVE:CVE-2024-12033 vulnerable 2026-06-08 06:23:51.036969 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data
CVE:CVE-2023-3813 vulnerable 2026-06-08 06:09:40.591519 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data
CVE:CVE-2023-38394 vulnerable 2026-06-08 06:08:17.806147 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data
CVE:CVE-2023-38389 vulnerable 2026-06-08 06:08:17.797206 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data
CVE:CVE-2023-38388 vulnerable 2026-06-08 06:08:17.796733 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data
CVE:CVE-2023-38385 vulnerable 2026-06-08 06:08:17.792560 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data
CVE:CVE-2022-1656 vulnerable 2026-06-08 05:39:13.646598 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data

Contribute

You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.