Jupiter X Core, a popular plugin that all Jupiter X users must install to use the full feature of the Jupiter X theme, has been found to have two critical vulnerabilities. These vulnerabilities were discovered by security analyst Rafie Muhammad, who reported them to ArtBee – the developer of Jupiter X Core.

The first vulnerability, labeled CVE-2023-38388, affects all versions (3.3.5 and below) of Jupiter X Core.

This vulnerability is an unauthenticated arbitrary file upload that permits unauthorized users to illegally upload files on the server to achieve – remote code execution (RCE).

CVE-2023-38388 has been assigned a severity score of 9, and ArtBee has resolved it in version 3.3.8 by introducing authentication checks to stop the unauthorized uploading of dangerous file types.

The second vulnerability, labeled CVE-2023-38389, affects all versions (3.3.8 and below) of Jupiter X Core. This vulnerability allows unauthenticated users to take control of any WP user account simply by having the target’s email address.

CVE-2023-38389 has been assigned a severity score of 9.8. ArtBee has rectified it in version 3.4.3 by addressing the “ajax_handel” function in the Facebook login process, ensuring that unauthorized users can no longer manipulate user credentials.

As of now, no documented cases of these vulnerabilities being used maliciously in real-world scenarios have been documented.

However, security experts strongly advise all Jupiter X Core plugin users to update to the latest version, 3.4.3, if they are using an older plugin version to safeguard their WP websites against CVE-2023-38388 and CVE-2023-38389 vulnerabilities.

Safeguard your WordPress Website and Plugins with Critical Vulnerabilities, malwares, cyber attacks and more!

– Browse Our WordPress Support and Security Services

The post Jupiter X Core Plugin Security Flaws Expose 172K WordPress Sites to Hacking appeared first on EncryptedFence by CerteraSSL - A Complete Web Security Blog.