CVE-2026-39490

Vulnerability

An unauthenticated broken access control vulnerability exists in the JupiterX Core plugin for WordPress, affecting versions 4.14.1 and earlier. The issue stems from missing authorization, authentication, or nonce token checks in a function, enabling unprivileged users to execute actions that should require higher privileges. No authentication is required to trigger the flaw.

Exploitation

An attacker can exploit this vulnerability remotely without any prior authentication or user interaction. By sending crafted requests to the vulnerable endpoint, the attacker can bypass access controls and invoke privileged operations. The vulnerability is considered easy to exploit and has been observed in mass-exploit campaigns targeting thousands of websites.

Impact

Successful exploitation allows an unauthenticated attacker to perform actions reserved for higher-privileged users, such as modifying site settings, creating or deleting content, or other administrative tasks. This can lead to full compromise of the WordPress site, including data disclosure, defacement, or further malware injection. The CVSS score of 7.5 (High) reflects the potential for significant impact without authentication.

Mitigation

The vulnerability is fixed in version 4.14.2 of JupiterX Core. Users are strongly advised to update immediately. If unable to update, consider contacting your hosting provider or web developer for assistance. Patchstack users can enable auto-updates for vulnerable plugins. No other workarounds are documented in the available reference [1].