Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Unauthenticated network-reachable WordPress endpoint missing authorization (PR:N/UI:N/AC:L), yielding high confidentiality disclosure but no integrity or availability impact.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
1DescriptionCVE.org
Unauthenticated Broken Access Control in JupiterX Core <= 4.14.1 versions.
AnalysisAI
Unauthorized information disclosure in the Artbees JupiterX Core WordPress plugin (versions 4.14.1 and earlier) allows remote unauthenticated attackers to bypass access controls and read data that should require authentication. The flaw is classified as CWE-862 (Missing Authorization) and was disclosed via Patchstack; no public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Technical ContextAI
JupiterX Core is the companion plugin that ships with the Artbees JupiterX premium WordPress theme, providing custom post types, page-builder integrations, and AJAX/REST endpoints used by the theme's front-end and admin features. CWE-862 (Missing Authorization) indicates one or more of these endpoints performs a sensitive action without verifying the caller's capabilities (e.g., missing current_user_can() or permission_callback checks on a WordPress AJAX/REST handler). The affected CPE cpe:2.3:a:artbees:jupiterx_core covers all builds up to and including 4.14.1, so any WordPress site running the plugin at default settings is in scope.
RemediationAI
Patch available per vendor advisory - upgrade JupiterX Core to the version above 4.14.1 listed as fixed on the Patchstack page (https://patchstack.com/database/wordpress/plugin/jupiterx-core/vulnerability/wordpress-jupiterx-core-plugin-4-14-1-broken-access-control-vulnerability); the exact fixed release number is not reproduced in the input data, so confirm it on the advisory before deploying. Until the update is applied, restrict access to the affected plugin endpoints at the edge (WAF rule blocking unauthenticated requests to JupiterX AJAX actions and REST routes under /wp-json/jupiterx*), enable Patchstack or an equivalent virtual-patching feed, and as a last-resort workaround deactivate the JupiterX Core plugin - note that this will break the JupiterX theme's builder and dynamic content features, so it is only acceptable as a short-term measure.
More in Jupiterx Core
View allSame weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37045
GHSA-8rf3-g5p2-hg5j