CVE-2026-3533
Received Received - Intake
File Upload Vulnerabilities in Jupiter X Core Plugin Enable RCE

Publication date: 2026-03-24

Last updated on: 2026-03-24

Assigner: Wordfence

Description
The Jupiter X Core plugin for WordPress is vulnerable to limited file uploads due to missing authorization on import_popup_templates() function as well as insufficient file type validation in the upload_files() function in all versions up to, and including, 4.14.1. This makes it possible for Authenticated attackers with Subscriber-level access and above, to upload files with dangerous types that can lead to Remote Code Execution on servers configured to handle .phar files as executable PHP (e.g., Apache+mod_php), or Stored Cross-Site Scripting via .svg, .dfxp, or .xhtml files upload on any server configuration
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-24
Last Modified
2026-03-24
Generated
2026-06-16
AI Q&A
2026-03-24
EPSS Evaluated
2026-06-15
NVD
CVE-2026-3533
EUVD
EUVD-2026-14650
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
themeforest jupiter_x_core 4.14.1
themeforest jupiter_x_core to 4.14.1 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-434 The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability in the Jupiter X Core WordPress plugin allows authenticated users with Subscriber-level access or higher to upload files without proper authorization and with insufficient file type validation.

Specifically, the import_popup_templates() function lacks authorization checks, and the upload_files() function does not adequately validate file types. This enables attackers to upload dangerous file types.

If the server is configured to execute .phar files as PHP (for example, Apache with mod_php), this can lead to Remote Code Execution (RCE). Alternatively, uploading files like .svg, .dfxp, or .xhtml can cause Stored Cross-Site Scripting (XSS) vulnerabilities on any server configuration.

Impact Analysis

This vulnerability can have severe impacts including:

  • Remote Code Execution (RCE) on the server if it processes .phar files as executable PHP, allowing attackers to run arbitrary code.
  • Stored Cross-Site Scripting (XSS) attacks via uploading malicious .svg, .dfxp, or .xhtml files, which can compromise site visitors and administrators.
  • Potential unauthorized access or control over the WordPress site and its data due to exploitation of these vulnerabilities.
Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': "This vulnerability involves unauthorized file uploads via the Jupiter X Core WordPress plugin's Ajax form handlers, specifically through the import_popup_templates() function and the upload_files() function. Detection can focus on monitoring Ajax requests to the plugin's endpoints that handle file uploads."}, {'type': 'paragraph', 'content': "To detect exploitation attempts on your system or network, you can monitor HTTP POST requests targeting the WordPress Ajax actions related to JupiterX Core forms, such as 'wp_ajax_raven_form_frontend' or 'wp_ajax_raven_form_editor'. Look for unusual file upload activity, especially files with extensions like .phar, .svg, .dfxp, or .xhtml."}, {'type': 'paragraph', 'content': 'Suggested commands include using web server access logs or network monitoring tools to filter for POST requests to admin-ajax.php with parameters indicating JupiterX Core form submissions. For example, using grep on Apache logs:'}, {'type': 'list_item', 'content': "grep 'POST /wp-admin/admin-ajax.php' /var/log/apache2/access.log | grep -E 'action=raven_form_frontend|action=raven_form_editor'"}, {'type': 'list_item', 'content': "Inspect uploaded files in the WordPress uploads directory under 'jupiterx/forms' for suspicious file types or unexpected files."}, {'type': 'paragraph', 'content': 'Additionally, monitoring for files with dangerous extensions (.phar, .svg, .dfxp, .xhtml) in upload directories or scanning for recently modified files with these extensions can help detect exploitation.'}] [1, 4]

Mitigation Strategies

[{'type': 'paragraph', 'content': 'Immediate mitigation steps include restricting file upload capabilities and limiting access to the vulnerable functions.'}, {'type': 'list_item', 'content': 'Update the Jupiter X Core plugin to a version later than 4.14.1 where this vulnerability is fixed.'}, {'type': 'list_item', 'content': 'Restrict user roles that can upload files via the vulnerable Ajax endpoints to trusted users only, as the vulnerability requires at least Subscriber-level access.'}, {'type': 'list_item', 'content': "Disable or restrict the import_popup_templates() functionality and unfiltered file uploads if possible, especially the 'enable_unfiltered_files_upload' option which is restricted to administrators."}, {'type': 'list_item', 'content': 'Implement server-side restrictions to prevent execution of .phar files and other dangerous file types by configuring the web server (e.g., Apache) to not treat these files as executable PHP.'}, {'type': 'list_item', 'content': 'Ensure upload directories (such as wp_upload_dir()/jupiterx/forms) have proper permissions and protective files (.htaccess, index.php) to prevent direct access.'}, {'type': 'paragraph', 'content': 'Monitoring and logging suspicious file uploads and access attempts should continue as part of ongoing security practices.'}] [1, 4, 3]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-3533. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart