Published: September 15, 2023 on our newsletter Security Fraud News & Alerts Newsletter.
A premium plugin used to set up WooCommerce and WordPress websites known as Jupiter X Core is currently being affected by two vulnerabilities. They may allow a cybercriminal to hijack accounts and/or upload files without the need for authentication. Analyst, Rafie Muhammed of Patchstack discovered them and reported them to the creators of Jupiter X Core--the products affected.
The first of the two vulnerabilities is tracked as CVE-2023-38388, which allows for the uploading of files without the need for authentication. This could lead to arbitrary code being executed on the server. It affects all Jupiter X Core versions starting from version 3.3.5 lower. Fortunately, the problem was fixed in version 3.3.8 of the plugin.
CVE-2023-38388 is exploitable since there are no authentication checks within the “upload files” function of the plugin. The patch by the vendor adds a check for the function while also activating a second check aimed at preventing the uploading of risky file types.
The second vulnerability is CVE-2023-38389 which allows unauthenticated attackers to take control of any WordPress user account as long as they know the email address. It impacts all versions of the Jupiter X Core plugin starting from 3.3.8 and below. According to Muhammed, an attacker can simply change the Facebook user login information behind the scenes and log in. Again, the problem was fixed in version 3.4.3 of the plugin.
There are a couple of problems highlighted in this. One problem is that many administrators don’t apply patches and updates to the products as quickly as they should. This leaves an opening for the cybercriminals to sashay right in and take advantage of the delay.
The other is that it’s really risky to use your Facebook or other account to log in to any OTHER online account. As in this case, if someone has your Facebook login, they can use it on other websites where you also used it. So just don’t do that. Each account should have unique login credentials.
Users of the Jupiter X Core plugin are urgently advised to upgrade to the latest versions of the plugin within the shortest time possible to mitigate the serious risk that both vulnerabilities pose. Don’t sashay, don’t delay.
Keep up to date: Sign up for our Fraud alerts and Updates newsletter
Want to schedule a conversation? Please email us at advisor@nadicent.com