Skip to main content

JupiterX Core CVE-2026-39491

| EUVDEUVD-2026-36942 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-06-15 Patchstack GHSA-pfwx-6j83-vm5r
6.5
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
vuln.today AI
5.4 MEDIUM

AV:N and AC:L reflect standard web-based XSS; PR:L reflects mandatory Subscriber auth; UI:R and S:C capture cross-user execution; A:N assigned as availability impact is not substantiated by description.

3.1 AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jun 15, 2026 - 23:13 vuln.today

DescriptionCVE.org

Subscriber Cross Site Scripting (XSS) in JupiterX Core <= 4.14.1 versions.

AnalysisAI

Stored or reflected Cross-Site Scripting in the JupiterX Core WordPress plugin (versions up to and including 4.14.1) allows low-privilege authenticated users with Subscriber roles to inject malicious JavaScript that executes in the browser context of other users, including administrators. The scope change component (S:C in CVSS) confirms the payload crosses security boundaries, enabling session hijacking, credential theft, or unauthorized administrative actions against victims who view attacker-controlled content. No public exploit code has been identified at time of analysis, and this vulnerability has not been listed in the CISA KEV catalog.

Technical ContextAI

JupiterX Core (CPE: cpe:2.3:a:artbees:jupiterx_core:*:*:*:*:*:*:*:*) is a WordPress plugin developed by Artbees that provides foundational features for the JupiterX premium theme, including page builder elements, shortcodes, and content widgets. The root cause is CWE-79 (Improper Neutralization of Input During Web Page Generation), meaning user-supplied input is insufficiently sanitized or escaped before being rendered in HTML output. The CVSS scope change (S:C) is particularly significant here: it indicates that JavaScript injected by a Subscriber-role user is rendered and executed in the browser session of a different, potentially higher-privileged user - a classic stored XSS pattern in WordPress plugins where subscriber-accessible fields populate content visible to administrators or editors.

RemediationAI

Upgrade JupiterX Core to a version higher than 4.14.1 immediately; no specific patched version number was confirmed in the available source data, so administrators should check the official WordPress plugin repository or the Artbees website for the latest release and verify it addresses CVE-2026-39491. The Patchstack advisory at https://patchstack.com/database/wordpress/plugin/jupiterx-core/vulnerability/wordpress-jupiterx-core-plugin-4-14-1-cross-site-scripting-xss-vulnerability should be consulted for exact fix version confirmation. If patching is not immediately possible, restrict Subscriber-role registration on the WordPress site (Settings > General > uncheck 'Anyone can register') to eliminate the PR:L attack surface - note this may disrupt legitimate user onboarding flows. Additionally, deploying a Web Application Firewall (WAF) with XSS filtering rules, such as those provided by Patchstack or Wordfence, can provide virtual patching as a temporary compensating control with minimal operational side effects.

Share

CVE-2026-39491 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy