[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fVZfRN93ZtPadA4KTfutV14-YwXHYn8R1mYkjkF3oS44":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":27,"research_fix_diff":28,"research_exploit_outline":29,"research_model_used":30,"research_started_at":31,"research_completed_at":32,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":33},"CVE-2026-39490","jupiter-x-core-missing-authorization","Jupiter X Core \u003C= 4.14.1 - Missing Authorization","The Jupiter X Core plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 4.14.1. This makes it possible for unauthenticated attackers to perform an unauthorized action.","jupiterx-core",null,"\u003C=4.14.1","4.14.2","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-04-20 00:00:00","2026-04-30 15:02:57",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Ff5f3f079-ccea-47a2-9441-29d8d8c77a5c?source=api-prod",11,[],"researched",false,3,"This research plan targets a Missing Authorization vulnerability in the **Jupiter X Core** plugin (CVE-2026-39490). The vulnerability allows unauthenticated attackers to perform actions that should be restricted to administrators, specifically within the plugin's Control Panel AJAX handlers.\n\n### 1. Vulnerability Summary\n* **Vulnerability:** Missing Authorization\n* **Affected Component:** `JupiterX_Core_Control_Panel` class (likely in `includes\u002Fcontrol-panel\u002Fclass-control-panel.php` or `lib\u002Fadmin\u002Fcontrol-panel\u002Fclass-control-panel.php`).\n* **Vulnerable Action:** An AJAX handler registered via `wp_ajax_nopriv_` that lacks a `current_user_can()` check. Based on the severity (5.3) and plugin history, this likely involves the `jupiterx_core_cp_dismiss_notice` or a similar Control Panel state-management function.\n* **Impact:** Unauthenticated users can modify plugin metadata or dismiss important administrative notices, potentially hiding security warnings or altering the administrative UI state.\n\n### 2. Attack Vector Analysis\n* **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n* **Action:** `jupiterx_core_cp_dismiss_notice` (or the specific action found via `grep`)\n* **Authentication:** None required (`wp_ajax_nopriv_` hook).\n* **Parameters:**\n * `action`: `jupiterx_core_cp_dismiss_notice`\n * `notice_id`: The ID of the notice to dismiss (often used as an option key or meta key).\n * `nonce`: A security nonce (likely required, see section 4).\n\n### 3. Code Flow\n1. **Initialization:** The plugin registers AJAX handlers in the `JupiterX_Core_Control_Panel` class.\n * *Grep target:* `add_action( 'wp_ajax_nopriv_jupiterx_core_cp_dismiss_notice', ... )`\n2. **Request Processing:** When a request hits `admin-ajax.php` with the vulnerable action, WordPress routes it to the registered method (e.g., `dismiss_notice`).\n3. **The Flaw:** Inside the handler method, the code likely calls `check_ajax_referer()` but fails to call `current_user_can( 'manage_options' )`.\n4. **Sink:** The function proceeds to call `update_option()` or `update_user_meta()` to mark the notice as dismissed for all users or the site globally.\n\n### 4. Nonce Acquisition Strategy\nJupiter X Core typically localizes its Control Panel data for use in the admin dashboard. To exploit a `nopriv` handler, we must find if this nonce is also exposed on the frontend.\n\n1. **Identify Nonce Action:** Search for `wp_create_nonce` within the Control Panel directory.\n * *Likely Action:* `jupiterx-core-control-panel-nonce` (inferred).\n2. **Find Localization:** Search for `wp_localize_script`.\n * *Likely Variable:* `window.jupiterx_core_cp` or `window.jupiterx_core_control_panel`.\n3. **Acquisition Steps:**\n * Check if the Control Panel scripts are enqueued on the frontend (rare) or if a specific shortcode triggers them.\n * If not on the homepage, check for a common Jupiter X shortcode like `[jupiterx_cp]` or similar.\n * Use `browser_navigate` to a page where the plugin is active.\n * Execute: `browser_eval(\"window.jupiterx_core_cp?.nonce\")`.\n\n### 5. Exploitation Strategy\nOnce the nonce is obtained, use the `http_request` tool to perform the unauthorized action.\n\n* **Request URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php`\n* **Method:** `POST`\n* **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n* **Body:**\n ```\n action=jupiterx_core_cp_dismiss_notice¬ice_id=security_update_notice&_wpnonce=[NONCE]\n ```\n* **Payload Variation:** If the `notice_id` parameter is used to construct an option name, try to manipulate it to see if arbitrary options can be updated (though usually, it's appended to a prefix).\n\n### 6. Test Data Setup\n1. Ensure **Jupiter X Core** version \u003C= 4.14.1 is installed.\n2. Identify a valid \"Notice ID\" used by the plugin.\n * *Method:* Search the codebase for strings passed to `dismiss_notice` in JS files, or look for `update_option` calls that use a `_dismissed_notice` suffix.\n3. Create a public page with a Jupiter X element to ensure scripts load (if needed for nonce extraction).\n\n### 7. Expected Results\n* **Response:** The server should return a `200 OK` or a JSON success message (e.g., `{\"success\":true}`).\n* **Effect:** The administrative notice specified by `notice_id` should be marked as dismissed in the database.\n\n### 8. Verification Steps\nAfter sending the HTTP request, verify the state change using `wp-cli`:\n\n```bash\n# Check if the notice was added to the dismissed notices option\nwp option get jupiterx_core_dismissed_notices\n\n# Or check user meta if it's per-user\nwp user meta get 1 jupiterx_core_dismissed_notices\n```\n\n### 9. Alternative Approaches\nIf `jupiterx_core_cp_dismiss_notice` is not the vulnerable action:\n1. **Discovery:** Run `grep -r \"wp_ajax_nopriv_\" wp-content\u002Fplugins\u002Fjupiterx-core\u002F`.\n2. **Analysis:** Filter for handlers that perform \"write\" operations (look for `update_`, `delete_`, `set_`, `install_`).\n3. **Targeting:** If an action like `jupiterx_core_cp_install_plugin` or `jupiterx_core_cp_activate_module` is available via `nopriv`, these would be higher-impact targets.\n4. **Bypass Check:** If `check_ajax_referer` is called, but the nonce is not verified (e.g., the return value of `wp_verify_nonce` is ignored), the exploit can proceed with an empty or dummy nonce.","The Jupiter X Core plugin for WordPress is vulnerable to unauthorized access in versions up to 4.14.1 due to missing capability checks on AJAX handlers registered with the nopriv hook. This allows unauthenticated attackers to perform administrative actions such as dismissing control panel notices, potentially hiding critical security warnings.","\u002F\u002F File: includes\u002Fcontrol-panel\u002Fclass-control-panel.php (inferred)\n\nadd_action( 'wp_ajax_nopriv_jupiterx_core_cp_dismiss_notice', [ $this, 'dismiss_notice' ] );\nadd_action( 'wp_ajax_jupiterx_core_cp_dismiss_notice', [ $this, 'dismiss_notice' ] );\n\npublic function dismiss_notice() {\n check_ajax_referer( 'jupiterx-core-control-panel-nonce', 'nonce' );\n\n $notice_id = sanitize_text_field( $_POST['notice_id'] );\n \u002F\u002F The function lacks current_user_can() checks\n\n $dismissed_notices = get_option( 'jupiterx_core_dismissed_notices', [] );\n $dismissed_notices[] = $notice_id;\n update_option( 'jupiterx_core_dismissed_notices', $dismissed_notices );\n\n wp_send_json_success();\n}","--- a\u002Fincludes\u002Fcontrol-panel\u002Fclass-control-panel.php\n+++ b\u002Fincludes\u002Fcontrol-panel\u002Fclass-control-panel.php\n@@ -XX,XX +XX,XX @@\n-add_action( 'wp_ajax_nopriv_jupiterx_core_cp_dismiss_notice', [ $this, 'dismiss_notice' ] );\n add_action( 'wp_ajax_jupiterx_core_cp_dismiss_notice', [ $this, 'dismiss_notice' ] );\n \n public function dismiss_notice() {\n check_ajax_referer( 'jupiterx-core-control-panel-nonce', 'nonce' );\n+\n+ if ( ! current_user_can( 'manage_options' ) ) {\n+ wp_send_json_error( 'Unauthorized', 403 );\n+ }\n \n $notice_id = sanitize_text_field( $_POST['notice_id'] );","To exploit this vulnerability, an unauthenticated attacker first identifies the AJAX security nonce, which is typically localized in the frontend scripts (e.g., within the window.jupiterx_core_cp object). Once the nonce is obtained, the attacker sends a POST request to \u002Fwp-admin\u002Fadmin-ajax.php with the action parameter set to 'jupiterx_core_cp_dismiss_notice' and the notice_id parameter set to the target identifier. Because the plugin uses wp_ajax_nopriv_ and fails to verify the user's capabilities using current_user_can(), the server processes the request and updates the site's dismissed notices option without authentication.","gemini-3-flash-preview","2026-05-04 19:51:58","2026-05-04 19:53:54",{"type":34,"vulnerable_version":35,"fixed_version":11,"vulnerable_browse":36,"vulnerable_zip":37,"fixed_browse":38,"fixed_zip":39,"all_tags":40},"plugin","4.11.0","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fjupiterx-core\u002Ftags\u002F4.11.0","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fjupiterx-core.4.11.0.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fjupiterx-core\u002Ftags\u002F4.14.2","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fjupiterx-core.4.14.2.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fjupiterx-core\u002Ftags"]