Skip to main content

Jupiterx Core

2 CVEs product

Monthly

CVE-2026-39490 HIGH This Week

Unauthorized information disclosure in the Artbees JupiterX Core WordPress plugin (versions 4.14.1 and earlier) allows remote unauthenticated attackers to bypass access controls and read data that should require authentication. The flaw is classified as CWE-862 (Missing Authorization) and was disclosed via Patchstack; no public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Authentication Bypass Jupiterx Core
NVD
CVSS 3.1
7.5
EPSS
0.4%
CVE-2026-39491 MEDIUM This Month

Stored or reflected Cross-Site Scripting in the JupiterX Core WordPress plugin (versions up to and including 4.14.1) allows low-privilege authenticated users with Subscriber roles to inject malicious JavaScript that executes in the browser context of other users, including administrators. The scope change component (S:C in CVSS) confirms the payload crosses security boundaries, enabling session hijacking, credential theft, or unauthorized administrative actions against victims who view attacker-controlled content. No public exploit code has been identified at time of analysis, and this vulnerability has not been listed in the CISA KEV catalog.

XSS Jupiterx Core
NVD
CVSS 3.1
6.5
EPSS
0.2%
EPSS 0% CVSS 7.5
HIGH This Week

Unauthorized information disclosure in the Artbees JupiterX Core WordPress plugin (versions 4.14.1 and earlier) allows remote unauthenticated attackers to bypass access controls and read data that should require authentication. The flaw is classified as CWE-862 (Missing Authorization) and was disclosed via Patchstack; no public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Authentication Bypass Jupiterx Core
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Stored or reflected Cross-Site Scripting in the JupiterX Core WordPress plugin (versions up to and including 4.14.1) allows low-privilege authenticated users with Subscriber roles to inject malicious JavaScript that executes in the browser context of other users, including administrators. The scope change component (S:C in CVSS) confirms the payload crosses security boundaries, enabling session hijacking, credential theft, or unauthorized administrative actions against victims who view attacker-controlled content. No public exploit code has been identified at time of analysis, and this vulnerability has not been listed in the CISA KEV catalog.

XSS Jupiterx Core
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy