Subj : This premium WordPress plugin could let hackers hijack your websi
To   : All
From : TechnologyDaily
Date : Fri Aug 25 2023 16:30:03

This premium WordPress plugin could let hackers hijack your website

Date:
Fri, 25 Aug 2023 15:13:52 +0000

Description:
It's the latest in a series of WordPress plugin vulnerabilities that could 
mean big trouble for your website.

FULL STORY
======================================================================

WYSIWYG editor for WordPress and first-draft Elon Musk baby name JupiterX 
Core has been hijacking accounts and uploading files, but a patch has been 
issued. 

Reporting the news, BleepingComputer also cites Themeforest sales for the 
JupiterX theme to estimate that its used on over 172,000 websites. The real 
number is probably less than that, but its a good indicator of the scale of 
the problem. 

Rafie Muhammad, a researcher at Wordpress security firm Patchstack, was the 
first to discover two distinct vulnerabilities and report them to JupiterX 
developer ArtBee, who have since patched the flaw. Naturally, if you use this 
plugin, update your version as soon as possible. Jupiter X Core Wordpress 
flaw 

The first flaw identified, CVE-2023-3838, affects all JupiterX Core versions 
up to 3.5.5, and allows for file uploads without authentication, opening the 
floodgates to arbitrary code execution. 

A patch came with version 3.3.8, adding authentication checks into the 
plugins upload_files function, as well as a second check to block uploads of, 
per BleepingComputer, risky file types. We imagine this means executables. 

The second flaw, CVE-2023-38389, allowed for breaches of any WordPress 
account so long as any attacker knew the email address attached, impacting up 
to JupiterX Core version 3.3.8. Read more 

 > How to build a WordPress website: A step by step guide 

 > 9 benefits of WordPress hosting 

 > Weve also listed the best WordPress hosting services 

Version 3.4.3 fixed the flaw, with Muhammad writing that the ajax_handler 
function in the plugins Facebook login mechanicism let any attacker, for a 
time, set key login variables involving Facebook user IDs to any value. 

ArtBees resolved the issue by pulling a users e-mail address and unique user 
ID from Facebooks authentication endpoint , though it seems hard to believe 
that it wasnt coded that way to begin with. Heres our list of the best 
WordPress website builders right now



======================================================================
Link to news story:
https://www.techradar.com/pro/security/this-premium-wordpress-plugin-could-let
-hackers-hijack-your-website


--- Mystic BBS v1.12 A47 (Linux/64)
 * Origin: tqwNet Technology News (1337:1/100)

.