CVE-2023-3813 in Jupiter X Core Plugininfo

Summary

by MITRE • 07/21/2023

The Jupiter X Core plugin for WordPress is vulnerable to arbitrary file downloads in versions up to, and including, 4.6.6. This makes it possible for unauthenticated attackers to download the contents of arbitrary files on the server, which can contain sensitive information. The requires the premium version of the plugin to be activated. NOTE: This vulnerability was partially patched in version 4.6.5 and fully patched in version 4.6.9.

Be aware that VulDB is the high quality source for vulnerability data.

Analysis

by VulDB Data Team • 04/10/2026

The vulnerability identified as CVE-2023-3813 affects the Jupiter X Core plugin for WordPress, representing a critical security flaw that enables unauthenticated attackers to execute arbitrary file download operations on affected servers. This vulnerability specifically impacts versions up to and including 4.6.6, with partial remediation occurring in version 4.6.5 and complete patching in version 4.6.9. The flaw resides within the plugin's handling of file download requests, which lacks proper authentication and authorization mechanisms, allowing malicious actors to access sensitive server files without requiring valid credentials or privileges.

The technical implementation of this vulnerability stems from insufficient input validation and access control measures within the plugin's file download functionality. Attackers can exploit this weakness by crafting malicious requests that target specific file paths on the WordPress server, potentially accessing configuration files, database credentials, user information, or other sensitive data stored within the application's directory structure. The vulnerability requires the premium version of the plugin to be activated, indicating that the flaw is specifically present in the paid functionality rather than the basic plugin features. This design choice may have been intended to limit the scope of exploitation, but it does not prevent the underlying security flaw from being exploited by attackers who have access to the premium features.

The operational impact of CVE-2023-3813 extends beyond simple information disclosure, as the ability to download arbitrary files can provide attackers with comprehensive insights into the target system's configuration and data storage mechanisms. This information can be leveraged to plan more sophisticated attacks, including privilege escalation, data exfiltration, or system compromise. The vulnerability's potential to expose sensitive configuration files, including database connection details, API keys, or administrative credentials, creates a significant risk for WordPress installations using the affected plugin. Organizations running vulnerable versions face the risk of unauthorized access to their entire WordPress environment, potentially leading to complete system compromise and data breaches.

Security practitioners should immediately update affected installations to version 4.6.9 or later to remediate this vulnerability, as the partial patch in version 4.6.5 may not fully address all exploitation vectors. The vulnerability aligns with CWE-22, which describes improper limitation of a pathname to a restricted directory, commonly known as path traversal attacks. From an adversarial perspective, this vulnerability maps to ATT&CK technique T1078.004, which involves valid accounts for lateral movement and privilege escalation through compromised credentials. Organizations should implement additional monitoring measures to detect unusual file access patterns and consider restricting access to sensitive files through server-level configurations. The vulnerability demonstrates the critical importance of maintaining up-to-date plugins and themes, as well as the necessity of conducting regular security assessments to identify and remediate similar weaknesses in WordPress installations.

Responsible

Wordfence

Reservation

07/20/2023

Disclosure

07/21/2023

Moderation

accepted

CPE

ready

EPSS

0.00987

KEV

no

Activities

very low

Sources

Do you need the next level of professionalism?

Upgrade your account now!