Jupiterx Core
Monthly
Unauthorized information disclosure in the Artbees JupiterX Core WordPress plugin (versions 4.14.1 and earlier) allows remote unauthenticated attackers to bypass access controls and read data that should require authentication. The flaw is classified as CWE-862 (Missing Authorization) and was disclosed via Patchstack; no public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Stored or reflected Cross-Site Scripting in the JupiterX Core WordPress plugin (versions up to and including 4.14.1) allows low-privilege authenticated users with Subscriber roles to inject malicious JavaScript that executes in the browser context of other users, including administrators. The scope change component (S:C in CVSS) confirms the payload crosses security boundaries, enabling session hijacking, credential theft, or unauthorized administrative actions against victims who view attacker-controlled content. No public exploit code has been identified at time of analysis, and this vulnerability has not been listed in the CISA KEV catalog.
Unauthorized information disclosure in the Artbees JupiterX Core WordPress plugin (versions 4.14.1 and earlier) allows remote unauthenticated attackers to bypass access controls and read data that should require authentication. The flaw is classified as CWE-862 (Missing Authorization) and was disclosed via Patchstack; no public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Stored or reflected Cross-Site Scripting in the JupiterX Core WordPress plugin (versions up to and including 4.14.1) allows low-privilege authenticated users with Subscriber roles to inject malicious JavaScript that executes in the browser context of other users, including administrators. The scope change component (S:C in CVSS) confirms the payload crosses security boundaries, enabling session hijacking, credential theft, or unauthorized administrative actions against victims who view attacker-controlled content. No public exploit code has been identified at time of analysis, and this vulnerability has not been listed in the CISA KEV catalog.