Vulnerability in File Upload Handling for Jupiter X Core Plugin by WordPress
CVE-2026-3533

8.8HIGH

Key Information:

Vendor: WordPress
Status: Jupiter X Core
Vendor: CVE Published:; 23 March 2026

What is CVE-2026-3533?

The Jupiter X Core plugin for WordPress contains a vulnerability that allows authenticated users with Subscriber-level permissions and above to upload files without proper authorization checks. The import_popup_templates() and upload_files() functions lack sufficient validation for file types, enabling the upload of potentially harmful file formats. This could lead to scenarios where an attacker can execute arbitrary code on servers that are misconfigured to treat .phar files as executable PHP files, or they might exploit stored cross-site scripting (XSS) vulnerabilities through .svg, .dfxp, or .xhtml file uploads across any server setup.

Affected Version(s)

Jupiter X Core 0 <= 4.14.1

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/jupiterx-core/...

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 23, 2026
Vulnerability Reserved
Mar 4, 2026

Credit

Jack Pas

CVE-2026-3533 Data

JSON