Jupiter X Core Missing Authorization Vulnerability Allowing Dangerous File Uploads

A vulnerability exists in the Jupiter X Core plugin for WordPress, affecting all versions up to and including 4.14.1. The issue arises from a lack of proper authorization in the 'import_popup_templates' function, combined with inadequate validation of file types in the 'upload_files' function. This flaw enables authenticated attackers with Subscriber-level access and above to upload files of dangerous types. Such uploads could lead to remote code execution on servers that execute .phar files as PHP, or cause stored cross-site scripting by uploading .svg, .dfxp, or .xhtml files on any server configuration.

Impact

Exploitation of this vulnerability could result in unauthorized file uploads of dangerous types, potentially leading to remote code execution or stored cross-site scripting, depending on the file type uploaded and the server configuration.

Reproduction

To reproduce this vulnerability, an authenticated user with Subscriber-level access or higher can upload files through a form that allows file uploads. The 'import_popup_templates' function can be accessed via an AJAX request, which does not properly check if the user has the right to upload files. The 'upload_files' function can then be exploited by uploading files with dangerous extensions, such as .phar, .svg, .dfxp, or .xhtml.

Remediation

Users are advised to update the Jupiter X Core plugin to version 4.14.2 or a newer patched version.