[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fwzprp8FGaNew1z4nDbtztN241Y6XItgLUuCWWOvVfKg":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":9,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":9,"research_model_used":26,"research_started_at":27,"research_completed_at":28,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":29},"CVE-2026-39491","jupiter-x-core-authenticated-subscriber-stored-cross-site-scripting","Jupiter X Core \u003C= 4.14.1 - Authenticated (Subscriber+) Stored Cross-Site Scripting","The Jupiter X Core plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 4.14.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","jupiterx-core",null,"\u003C=4.14.1","4.14.2","medium",6.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-04-13 00:00:00","2026-04-21 15:05:01",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fae3dd251-3415-4a7f-93d9-c0fe23b5ed31?source=api-prod",9,[],"researched",false,3,"This plan outlines the research and exploitation process for **CVE-2026-39491** (Stored XSS) in the **Jupiter X Core** plugin.\n\n### 1. Vulnerability Summary\nThe **Jupiter X Core** plugin (versions \u003C= 4.14.1) contains a stored cross-site scripting vulnerability. The issue stems from an AJAX handler intended for theme or layout settings that fails to verify administrative capabilities and does not sanitize input before saving it to the database. Specifically, a subscriber-level user can trigger an AJAX action to update plugin settings or metadata. When these settings are rendered on the frontend or in the admin dashboard, the malicious script executes.\n\n### 2. Attack Vector Analysis\n*   **Endpoint:** `wp-admin\u002Fadmin-ajax.php`\n*   **Action:** `jupiterx_core_cp_save_settings` or `jupiterx_core_save_layout_settings` (inferred from common Jupiter X Core AJAX patterns).\n*   **Vulnerable Parameter:** Likely a nested array within a `settings` or `data` parameter (e.g., `settings[breadcrumb_text]` or `settings[footer_content]`).\n*   **Authentication:** Required (Subscriber-level or higher).\n*   **Preconditions:** The plugin must be active, and the attacker must have valid subscriber credentials.\n\n### 3. Code Flow (Inferred)\n1.  **Registration:** The plugin registers an AJAX action for authenticated users:\n    `add_action( 'wp_ajax_jupiterx_core_cp_save_settings', 'jupiterx_core_cp_save_settings_callback' );`\n2.  **Entry Point:** `jupiterx_core_cp_save_settings_callback()` (in `includes\u002Fcontrol-panel\u002F2.0\u002Fincludes\u002Fajax.php`) is called.\n3.  **Verification Gap:** The function likely checks a nonce but fails to call `current_user_can( 'manage_options' )`.\n4.  **Source:** The function retrieves raw data from `$_POST['settings']`.\n5.  **Sink (Storage):** The data is passed to `update_option( 'jupiterx_settings', $settings )` or `update_post_meta()` without sanitization.\n6.  **Sink (Output):** When a page is loaded, the plugin retrieves the setting and echoes it:\n    `echo get_option( 'jupiterx_settings' )['vulnerable_field'];` (missing `esc_html` or `esc_attr`).\n\n### 4. Nonce Acquisition Strategy\nJupiter X Core typically localizes nonces for its Control Panel (CP) in a global JavaScript object.\n\n1.  **Identify Script Loading:** The Control Panel scripts load on the Jupiter X dashboard page.\n2.  **Setup:** Create a Subscriber user and log in.\n3.  **Navigation:** Navigate to `\u002Fwp-admin\u002Fadmin.php?page=jupiterx` (or the default plugin landing page accessible to users).\n4.  **Extraction:** Use `browser_eval` to extract the nonce:\n    *   **Variable Name:** `window.jupiterx_core_cp` (inferred).\n    *   **Key:** `nonce`.\n    *   **Command:** `browser_eval(\"window.jupiterx_core_cp?.nonce\")`.\n\n### 5. Exploitation Strategy\n1.  **Login:** Authenticate as a Subscriber user via the `http_request` tool.\n2.  **Nonce Retrieval:** Navigate to the Jupiter X dashboard and extract the `jupiterx_core_cp.nonce` as described above.\n3.  **Craft Payload:** Create a JSON or URL-encoded payload that targets a setting reflected on the site header or breadcrumbs.\n    *   **Payload:** `\u003Cimg src=x onerror=alert(\"XSS_EXPLOITED\")>`\n4.  **Submit Request:** Use `http_request` to send a POST request to `admin-ajax.php`.\n    ```http\n    POST \u002Fwp-admin\u002Fadmin-ajax.php HTTP\u002F1.1\n    Content-Type: application\u002Fx-www-form-urlencoded\n\n    action=jupiterx_core_cp_save_settings&nonce=[EXTRACTED_NONCE]&settings[breadcrumb_custom_text]=\u003Cimg src=x onerror=alert('XSS_EXPLOITED')>\n    ```\n5.  **Trigger:** Navigate to the site's homepage or any post where breadcrumbs\u002Fsettings are displayed.\n\n### 6. Test Data Setup\n1.  **Users:**\n    *   `admin` (Administrator)\n    *   `attacker` (Subscriber)\n2.  **Plugin Configuration:** Ensure the \"Breadcrumbs\" or \"Custom Layouts\" feature is enabled in Jupiter X settings so the injected meta\u002Foption is actually rendered on the frontend.\n3.  **Content:** Create at least one public post to view the breadcrumb\u002Fheader output.\n\n### 7. Expected Results\n*   **Success Response:** The AJAX request should return a JSON success message (e.g., `{\"success\": true}`).\n*   **Persistence:** The malicious payload should be visible in the database under the `jupiterx_settings` option.\n*   **Execution:** When viewing the frontend, a JavaScript alert box with \"XSS_EXPLOITED\" should appear.\n\n### 8. Verification Steps\n1.  **Database Check:** Use WP-CLI to verify the stored value:\n    `wp option get jupiterx_settings`\n2.  **Frontend Check:** Use `http_request` (GET) on the homepage and check if the raw payload exists in the HTML:\n    `grep \"XSS_EXPLOITED\" response_body.html`\n3.  **Admin Check:** Log in as an Administrator and navigate to the plugin settings page to see if the script executes in the admin context (more critical impact).\n\n### 9. Alternative Approaches\n*   **Elementor Widget Settings:** If the `cp_save_settings` action is not the culprit, investigate the `jupiterx_core_save_elementor_template` action. This often allows users to save widget configurations. A subscriber might be able to save a \"Custom HTML\" widget to a global section.\n*   **Meta Injection:** Try the action `jupiterx_core_save_post_meta` (inferred) if the plugin allows subscribers to edit theme-specific metadata for their own posts, which then fails to escape on output.\n*   **Payload Variations:**\n    *   `\">\u003Cscript>alert(1)\u003C\u002Fscript>` (to break out of attribute quotes).\n    *   `javascript:alert(1)` (if the payload is injected into a URL\u002Fhref field).","gemini-3-flash-preview","2026-04-27 14:59:59","2026-04-27 15:01:51",{"type":30,"vulnerable_version":31,"fixed_version":11,"vulnerable_browse":32,"vulnerable_zip":33,"fixed_browse":34,"fixed_zip":35,"all_tags":36},"plugin","4.11.0","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fjupiterx-core\u002Ftags\u002F4.11.0","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fjupiterx-core.4.11.0.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fjupiterx-core\u002Ftags\u002F4.14.2","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fjupiterx-core.4.14.2.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fjupiterx-core\u002Ftags"]