CVE-2026-39491

Vulnerability

The JupiterX Core plugin for WordPress versions 4.14.1 and earlier are vulnerable to a stored Cross-Site Scripting (XSS) vulnerability [1]. The issue exists in the subscriber-role context, where an authenticated user with subscriber privileges can inject arbitrary HTML and JavaScript payloads that are stored and later executed when other users (including site visitors) view the affected content. This requires the plugin to be installed and active on a WordPress site.

Exploitation

An attacker can exploit this vulnerability by first authenticating as a subscriber-level user. The attacker then crafts a malicious payload (e.g., JavaScript code) and submits it through the vulnerable input fields provided by the plugin [1]. Successful exploitation requires user interaction from a privileged user (such as an administrator) who views the attacker's submitted content, which triggers the payload execution. No additional network position or write access is needed beyond normal subscriber actions.

Impact

On successful exploitation, the attacker achieves stored XSS execution in the context of the visitor's browser. This can lead to theft of session cookies, redirection to malicious sites, injection of advertisements, defacement, or other actions controlled by the attacker's injected script [1]. The impact is limited to the browser session of the victim user; however, if an administrator is tricked into viewing the payload, it could lead to further privilege escalation or site compromise.

Mitigation

The vulnerability is resolved by updating to version 4.14.2 or later of the JupiterX Core plugin [1]. Users are advised to apply the update immediately. For sites that cannot immediately update, Patchstack provides a mitigation rule that blocks exploitation attempts until the update is applied [1]. There is no mention of this CVE being listed on CISA's Known Exploited Vulnerabilities (KEV) catalog to date.