Over 90,000 WordPress Sites Exposed Due to Security Flaws in Jupiter X Core Plugin

1 Star2 Stars3 Stars4 Stars5 Stars (5 votes, average: 5.00 out of 5)
Loading...
Jupiter X Core Plugin Vulnerability

In a recent cybersecurity alert, researchers have uncovered critical vulnerabilities in the popular Jupiter X Core WordPress plugin, which is currently installed on over 90,000 websites globally.

This plugin has been identified as having security flaws that could potentially allow attackers to execute arbitrary code and take control of affected websites.

The vulnerabilities were identified by Geo Void and disclosed through the Wordfence Bug Bounty Program.

About Jupiter X Core WordPress Plugin

The Jupiter X Core plugin By Artbees is essential for harnessing the full capabilities of the Jupiter X theme. Some of its key features include:

  • Manage template and plugin installations
  • Customize different aspects of your website with an intuitive customizer tool.
  • Create and modify headers, footers, single posts, and archive pages with dedicated builders.
  • Advanced dynamic tags to add personalized and interactive elements and more.

Everyone using Jupiter X must install and activate this plugin to access the complete suite of features.

Vulnerability Summary of Jupiter X Core WordPress Plugin

Below are the security flaws discovered in the research!

CVE-2024-7772

CVSS Score: 9.8

This vulnerability was found in versions up to and including 4.6.5.

Cause: This was caused by the improper file type validation in the ‘validate’ function that allows hackers to upload arbitrary files to the server. This can ultimately lead to remote code execution, and the attacker essentially gets complete control of the affected site.

CVE-2024-7781

CVSS Score: 8.1

This vulnerability was found up to version 4.7.5. 

Cause: This vulnerability allows attackers to bypass login authentication through the Social Login widget. Hackers, including administrators, can log in as the first user to use a social media account. This flaw can be exploited even if the Social Login feature is currently turned off, as long as it was used at some point.

Response and Mitigation

When these vulnerabilities were discovered, the WordFence team communicated them to the Artbees team. They promptly responded to the concern and released the patches in the following way:

  • First patch: August 22, 2024,
  • Second patch: September 12, 2024,
  • Third patch: September 18, 2024.

“All Jupiter X users must update the websites with Jupiter X Core’s latest patched version, i.e., 4.7.8.”

To ensure your website’s security from hackers and vulnerability, buy SSL certificates from Certera, offering 256-bit encryption and a secure site seal. 

Janki Mehta

Janki Mehta

Janki Mehta is a passionate Cyber-Security Enthusiast who keenly monitors the latest developments in the Web/Cyber Security industry. She puts her knowledge into practice and helps web users by arming them with the necessary security measures to stay safe in the digital world.