Site icon API Security Blog

90,000 WordPress Sites Affected by Arbitrary File Upload and Authentication Bypass Vulnerabilities in Jupiter X Core WordPress Plugin

πŸ“’ Did you know Wordfence runs a Bug Bounty Program for all WordPress plugins and themes at no cost to vendors? Through October 7th, 2024, XSS vulnerabilities in all plugins and themes with >=1,000 Active Installs are in scope for all researchers. In addition, through October 14th, 2024, r__esearchers can earn up to $31,200, for all in-scope vulnerabilities submitted to our Bug Bounty Program! Find a vulnerability, submit the details directly to us, and we handle all the rest. On August 6th, 2024, we received a submission for an Arbitrary File Upload vulnerability in Jupiter X Core, a WordPress plugin with more than 90,000 active installations. This vulnerability makes it possible for an unauthenticated attacker to upload arbitrary files to a vulnerable site and achieve remote code execution, which is typically leveraged for a complete site takeover. On the same day, we also received a submission for a Limited Authentication Bypass to Account Takeover vulnerability in the same plugin. This vulnerability makes it possible for unauthenticated attackers to log in as the first user who logged in using Google or Facebook, including administrator accounts. Props to Geo Void who discovered and responsibly reported these vulnerabilities through the Wordfence Bug Bounty Program. This researcher earned a bounty of $2,145.00 for the Arbitrary File Upload and $1,690.00 for the Authentication Bypass to Account Takeover discoveries. Our mission is to Secure the Web, which is why we are…Read More

Exit mobile version