Get all your news in one place.
100’s of premium titles.
One app.
Start reading
TechRadar
TechRadar
Luke Hughes

This premium WordPress plugin could let hackers hijack your website

WordPress logo

WYSIWYG editor for WordPress and first-draft Elon Musk baby name JupiterX Core has been hijacking accounts and uploading files, but a patch has been issued.

Reporting the news, BleepingComputer also cites Themeforest sales for the JupiterX theme to estimate that it’s used on over 172,000 websites. The real number is probably less than that, but it’s a good indicator of the scale of the problem.

Rafie Muhammad, a researcher at Wordpress security firm Patchstack, was the first to discover two distinct vulnerabilities and report them to JupiterX developer ArtBee, who have since patched the flaw. Naturally, if you use this plugin, update your version as soon as possible.

Jupiter X Core Wordpress flaw

The first flaw identified, CVE-2023-3838, affects all JupiterX Core versions up to 3.5.5, and allows for file uploads without authentication, opening the floodgates to arbitrary code execution. 

A patch came with version 3.3.8, adding authentication checks into the plugin’s ‘upload_files’ function, as well as a second check to block uploads of, per BleepingComputer, “risky” file types. We imagine this means executables.

The second flaw, CVE-2023-38389, allowed for breaches of any WordPress account so long as any attacker knew the email address attached, impacting up to JupiterX Core version 3.3.8.

 Version 3.4.3 fixed the flaw, with Muhammad writing that the ‘ajax_handler’ function in the plugin’s Facebook login mechanicism let any attacker, for a time, set key login variables involving Facebook user IDs to any value.

ArtBees resolved the issue by pulling a user’s e-mail address and unique user ID from Facebook’s authentication endpoint, though it seems hard to believe that it wasn’t coded that way to begin with.

Sign up to read this article
Read news from 100’s of titles, curated specifically for you.
Already a member? Sign in here
Related Stories
Top stories on inkl right now
One subscription that gives you access to news from hundreds of sites
Already a member? Sign in here
Our Picks
Fourteen days free
Download the app
One app. One membership.
100+ trusted global sources.