Skip to main content

JupiterX Core CVE-2026-39490

| EUVDEUVD-2026-37045 HIGH
Missing Authorization (CWE-862)
2026-06-16 Patchstack GHSA-8rf3-g5p2-hg5j
7.5
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vuln.today AI
7.5 HIGH

Unauthenticated network-reachable WordPress endpoint missing authorization (PR:N/UI:N/AC:L), yielding high confidentiality disclosure but no integrity or availability impact.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 16, 2026 - 10:27 vuln.today

DescriptionCVE.org

Unauthenticated Broken Access Control in JupiterX Core <= 4.14.1 versions.

AnalysisAI

Unauthorized information disclosure in the Artbees JupiterX Core WordPress plugin (versions 4.14.1 and earlier) allows remote unauthenticated attackers to bypass access controls and read data that should require authentication. The flaw is classified as CWE-862 (Missing Authorization) and was disclosed via Patchstack; no public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Technical ContextAI

JupiterX Core is the companion plugin that ships with the Artbees JupiterX premium WordPress theme, providing custom post types, page-builder integrations, and AJAX/REST endpoints used by the theme's front-end and admin features. CWE-862 (Missing Authorization) indicates one or more of these endpoints performs a sensitive action without verifying the caller's capabilities (e.g., missing current_user_can() or permission_callback checks on a WordPress AJAX/REST handler). The affected CPE cpe:2.3:a:artbees:jupiterx_core covers all builds up to and including 4.14.1, so any WordPress site running the plugin at default settings is in scope.

RemediationAI

Patch available per vendor advisory - upgrade JupiterX Core to the version above 4.14.1 listed as fixed on the Patchstack page (https://patchstack.com/database/wordpress/plugin/jupiterx-core/vulnerability/wordpress-jupiterx-core-plugin-4-14-1-broken-access-control-vulnerability); the exact fixed release number is not reproduced in the input data, so confirm it on the advisory before deploying. Until the update is applied, restrict access to the affected plugin endpoints at the edge (WAF rule blocking unauthenticated requests to JupiterX AJAX actions and REST routes under /wp-json/jupiterx*), enable Patchstack or an equivalent virtual-patching feed, and as a last-resort workaround deactivate the JupiterX Core plugin - note that this will break the JupiterX theme's builder and dynamic content features, so it is only acceptable as a short-term measure.

Share

CVE-2026-39490 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy