Researchers discovered numerous security flaws in the WordPress plugin Jupiter X Core that allow website hijacking. Users must rush to update their sites with the latest plugin version to receive the patches and avoid potential attacks.
Jupiter X Core Plugin Flaws Risked WordPress Websites
The security researcher Rafie Muhammad from Patchstack discovered two different flaws in the Jupiter X Core WordPress plugin. Exploiting these vulnerabilities could allow an adversary to takeover target websites and execute malicious codes.
As explained in his post, the first of these vulnerabilities, CVE-2023-38388, is an unauthenticated file upload flaw affecting the plugin’s upload_files
function. The researcher found the function lacking authentication checks, letting any unauthenticated user upload arbitrary files.
This critical severity vulnerability received a CVSS score of 9.0, and it affected the plugin version 3.3.5 and earlier.
The second vulnerability, CVE-2023-38389, existed in the ajax_handler
function of the Facebook login process. An unauthenticated adversary could easily call the function while setting any value to the social-media-user-facebook-id meta
of a user with the set_user_facebook_id
function. Exploiting the vulnerability in this manner allows an adversary to hijack target accounts. In worst-case scenarios, hijacking a higher privileged account even leads to website takeovers.
This vulnerability also received a critical severity rating with a CVSS score of 9.8. The flaw affects the plugin versions 3.3.8 and earlier.
Bug Fixes Released With Plugin Updates
Upon discovering the vulnerabilities, the researcher reported the matter to the plugin developers. In response, Artbees first patched the vulnerability CVE-2023-38388 with the plugin version 3.3.8.
However, since this version developed another vulnerability (CVE-2023-38389), the developers worked again to fix the issue. Finally, Jupiter Core X plugin version 3.4.3 arrived with both patches.
Since the patches for both vulnerabilities have arrived, WordPress admins must update their websites with the latest plugin version at the earliest.
Let us know your thoughts in the comments.