Cyber Posture

CVE-2026-3533

High

Published: 24 March 2026

Published
24 March 2026
Modified
24 April 2026
KEV Added
Patch
CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0028 51.7th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

The Jupiter X Core plugin for WordPress is vulnerable to limited file uploads due to missing authorization on import_popup_templates() function as well as insufficient file type validation in the upload_files() function in all versions up to, and including, 4.14.1. This…

more

makes it possible for Authenticated attackers with Subscriber-level access and above, to upload files with dangerous types that can lead to Remote Code Execution on servers configured to handle .phar files as executable PHP (e.g., Apache+mod_php), or Stored Cross-Site Scripting via .svg, .dfxp, or .xhtml files upload on any server configuration

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Directly addresses insufficient file type validation in upload_files() by requiring checks to block dangerous extensions like .phar, .svg, .dfxp, and .xhtml.

AC-3 Access Enforcement good match
prevent

Enforces missing authorization on import_popup_templates() to prevent subscriber-level and higher users from accessing vulnerable upload functions.

SI-9 Information Input Restrictions good match
prevent

Restricts types of files that can be entered into the WordPress system, mitigating unrestricted uploads of executable or scriptable content.

Security SummaryAI

The Jupiter X Core plugin for WordPress contains a vulnerability (CVE-2026-3533) that enables limited file uploads due to missing authorization checks in the import_popup_templates() function and insufficient file type validation in the upload_files() function. This issue affects all versions up to and including 4.14.1. Assigned a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and mapped to CWE-434 (Unrestricted Upload of File with Dangerous Type), it was published on 2026-03-24.

Authenticated attackers with Subscriber-level access or higher can exploit this vulnerability to upload arbitrary files with dangerous extensions. On servers configured to execute .phar files as PHP (such as Apache with mod_php), this can result in remote code execution. On any server configuration, uploads of .svg, .dfxp, or .xhtml files can lead to stored cross-site scripting attacks.

Advisories and references, including the Wordfence threat intelligence report and WordPress plugin trac browser links to specific code revisions (e.g., class-popup.php at line 138, ajax-handler.php at line 434, and file.php at line 214 in revision 3430169), highlight the vulnerable code paths but do not detail explicit mitigation steps beyond implying the need to address the authorization and validation flaws in updated versions.

Details

CWE(s)
CWE-434

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
attack.mitre.org →
Why these techniques?

File upload vulnerability in WordPress plugin enables exploitation of public-facing application (T1190) and facilitates web shell deployment via .phar uploads for RCE (T1100).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References