This premium WordPress plugin could let hackers hijack your website

JupiterX Core vulnerabilities have been patched, with users advised to update immediately

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

WYSIWYG editor forWordPressand first-draft Elon Musk baby name JupiterX Core has been hijacking accounts and uploading files, but a patch has been issued.

Reporting the news,BleepingComputeralso citesThemeforestsales for the JupiterX theme to estimate that it’s used on over 172,000 websites. The real number is probably less than that, but it’s a good indicator of the scale of the problem.

Rafie Muhammad, a researcher at Wordpress security firm Patchstack, was the first to discover two distinct vulnerabilities and report them to JupiterX developer ArtBee, who have since patched the flaw. Naturally, if you use this plugin, update your version as soon as possible.

Jupiter X Core Wordpress flaw

The first flaw identified, CVE-2023-3838, affects all JupiterX Core versions up to 3.5.5, and allows for file uploads without authentication, opening the floodgates to arbitrary code execution.

A patch came with version 3.3.8, adding authentication checks into the plugin’s ‘upload_files’ function, as well as a second check to block uploads of, per BleepingComputer, “risky” file types. We imagine this means executables.

The second flaw, CVE-2023-38389, allowed for breaches of any WordPress account so long as any attacker knew the email address attached, impacting up to JupiterX Core version 3.3.8.

How to build a WordPress website: A step by step guide

9 benefits of WordPress hosting

We’ve also listed the best WordPress hosting services

Version 3.4.3 fixed the flaw, with Muhammadwritingthat the ‘ajax_handler’ function in the plugin’s Facebook login mechanicism let any attacker, for a time, set key login variables involving Facebook user IDs to any value.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

ArtBees resolved the issue by pulling a user’s e-mail address and unique user ID from Facebook’s authenticationendpoint, though it seems hard to believe that it wasn’t coded that way to begin with.

Luke Hughes holds the role of Staff Writer at TechRadar Pro, producing news, features and deals content across topics ranging from computing to cloud services, cybersecurity, data privacy and business software.

This new phishing strategy utilizes GitHub comments to distribute malware

Should your VPN always be on?

Arcane season 2 act 1 ending explained: who is [SPOILER], when is episode 4 coming out, and your biggest questions answered