CVE-2023-3813

HIGH

Jupiter X Core <2.5.0 - Info Disclosure

Title source: llm

Description

The Jupiter X Core plugin for WordPress is vulnerable to arbitrary file downloads in versions up to, and including, 4.6.6. This makes it possible for unauthenticated attackers to download the contents of arbitrary files on the server, which can contain sensitive information. The requires the premium version of the plugin to be activated. NOTE: This vulnerability was partially patched in version 4.6.5 and fully patched in version 4.6.9.

References (5)

Core 5

Core References

Exploit

https://plugins.trac.wordpress.org/browser/jupiterx-core/trunk/includes/extensions/raven/includes/utils.php?rev=2777235#L425

Third Party Advisory

https://www.wordfence.com/threat-intel/vulnerabilities/id/f767d94b-fe92-4b69-9d81-96de51e12983?source=cve

https://plugins.trac.wordpress.org/changeset/3138013/jupiterx-core/trunk/includes/extensions/raven/includes/utils.php

https://plugins.trac.wordpress.org/changeset/3142669/jupiterx-core/trunk/includes/extensions/raven/includes/utils.php

https://plugins.trac.wordpress.org/browser/jupiterx-core/tags/4.6.9/includes/extensions/raven/includes/utils.php#L451

Scores

CVSS v3 7.5

EPSS 0.0099

EPSS Percentile 58.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-22

Status published

Products (2)

artbees/Jupiter X Core < 4.6.6

artbees/jupiter_x_core < 2.5.0

Published Jul 21, 2023

Tracked Since Feb 18, 2026