CVE-2026-3533
Published: 24 March 2026
Summary
CVE-2026-3533 is a high-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Wordpress (inferred from references). Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 47.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
The Jupiter X Core plugin for WordPress contains a vulnerability (CVE-2026-3533) that enables limited file uploads due to missing authorization checks in the import_popup_templates() function and insufficient file type validation in the upload_files() function. This issue affects all versions up to and including 4.14.1. Assigned a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and mapped to CWE-434 (Unrestricted Upload of File with Dangerous Type), it was published on 2026-03-24.
Authenticated attackers with Subscriber-level access or higher can exploit this vulnerability to upload arbitrary files with dangerous extensions. On servers configured to execute .phar files as PHP (such as Apache with mod_php), this can result in remote code execution. On any server configuration, uploads of .svg, .dfxp, or .xhtml files can lead to stored cross-site scripting attacks.
Advisories and references, including the Wordfence threat intelligence report and WordPress plugin trac browser links to specific code revisions (e.g., class-popup.php at line 138, ajax-handler.php at line 434, and file.php at line 214 in revision 3430169), highlight the vulnerable code paths but do not detail explicit mitigation steps beyond implying the need to address the authorization and validation flaws in updated versions.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-14650
Vulnerability details
The Jupiter X Core plugin for WordPress is vulnerable to limited file uploads due to missing authorization on import_popup_templates() function as well as insufficient file type validation in the upload_files() function in all versions up to, and including, 4.14.1. This…
more
makes it possible for Authenticated attackers with Subscriber-level access and above, to upload files with dangerous types that can lead to Remote Code Execution on servers configured to handle .phar files as executable PHP (e.g., Apache+mod_php), or Stored Cross-Site Scripting via .svg, .dfxp, or .xhtml files upload on any server configuration
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
File upload vulnerability in WordPress plugin enables exploitation of public-facing application (T1190) and facilitates web shell deployment via .phar uploads for RCE (T1100).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly addresses insufficient file type validation in upload_files() by requiring checks to block dangerous extensions like .phar, .svg, .dfxp, and .xhtml.
Enforces missing authorization on import_popup_templates() to prevent subscriber-level and higher users from accessing vulnerable upload functions.
Restricts types of files that can be entered into the WordPress system, mitigating unrestricted uploads of executable or scriptable content.