PT-2026-27264 · WordPress · Jupiter X Core

Jack Pas

Published

2026-03-23

Updated

2026-03-25

CVE-2026-3533

CVSS v3.1

8.8

High

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Jupiter X Core plugin for WordPress versions through 4.14.1

Description The Jupiter X Core plugin for WordPress is susceptible to limited file uploads because of missing authorization in the import popup templates() function and inadequate file type validation within the upload files() function. This allows attackers with Subscriber-level access or higher to upload potentially dangerous files. Successful exploitation could lead to Remote Code Execution on servers configured to execute .phar files as PHP, or Stored Cross-Site Scripting through the upload of .svg, .dfxp, or .xhtml files.

Recommendations Update Jupiter X Core plugin to a version later than 4.14.1.

Fix

Unrestricted File Upload

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-434

Related Identifiers

CVE-2026-3533

Affected Products

Jupiter X Core

PT-2026-27264 · WordPress · Jupiter X Core

CVE-2026-3533

Weakness Enumeration

Related Identifiers

Affected Products

References · 8