Skip to main content

PHP CVE-2026-3533

| EUVD-2026-14650 HIGH
Unrestricted Upload of File with Dangerous Type (CWE-434)
2026-03-23 Wordfence GHSA-wv9g-vw7m-7mq8
PHP WordPress XSS RCE Apache File Upload
8.8
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Re-analysis Queued
Apr 24, 2026 - 16:37 vuln.today
cvss_changed
EUVD ID Assigned
Mar 23, 2026 - 23:45 euvd
EUVD-2026-14650
Analysis Generated
Mar 23, 2026 - 23:45 vuln.today
CVE Published
Mar 23, 2026 - 23:25 nvd
HIGH 8.8

DescriptionNVD

The Jupiter X Core plugin for WordPress is vulnerable to limited file uploads due to missing authorization on import_popup_templates() function as well as insufficient file type validation in the upload_files() function in all versions up to, and including, 4.14.1. This makes it possible for Authenticated attackers with Subscriber-level access and above, to upload files with dangerous types that can lead to Remote Code Execution on servers configured to handle .phar files as executable PHP (e.g., Apache+mod_php), or Stored Cross-Site Scripting via .svg, .dfxp, or .xhtml files upload on any server configuration

AnalysisAI

The Jupiter X Core plugin for WordPress contains an unrestricted file upload vulnerability allowing authenticated users with Subscriber-level privileges or higher to upload dangerous file types including .phar, .svg, .dfxp, and .xhtml files. This stems from missing authorization checks in the import_popup_templates() function and insufficient file type validation in the upload_files() function. …

Sign in for full analysis, threat intelligence, and remediation guidance.

RemediationAI

Within 24 hours: Identify all WordPress installations using Jupiter X Core plugin and document affected systems; disable the plugin's file upload functionality if possible. Within 7 days: Audit recent file uploads in affected systems for suspicious .phar, .svg, .dfxp, and .xhtml files; implement Web Application Firewall rules to block these file types; review user access logs for unauthorized upload attempts. …

Sign in for detailed remediation steps.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

More from same product – last 7 days

CVE-2026-7862 HIGH POC
8.6 May 28

Unauthenticated refund abuse in the Eupago Gateway for WooCommerce WordPress plugin before 4.7.2 lets remote attackers t
CVE-2026-8760 CRITICAL
9.8 May 27

Authentication bypass in the Login with OTP plugin for WordPress (all versions up to and including 1.6) lets unauthentic
CVE-2026-42727 CRITICAL
9.3 May 27

Blind SQL injection in the RealMag777 'Active Products Tables for WooCommerce' WordPress plugin (versions up to and incl
CVE-2026-42761 CRITICAL
9.3 May 27

Blind SQL injection in the RealMag777 "Active Products Tables for WooCommerce" WordPress plugin (all versions up to and

CVE-2026-8832 HIGH
8.8 May 27

Remote code execution in the WPCode WordPress plugin (versions through 2.3.5) lets authenticated author-level users run

Share

CVE-2026-3533 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy