CVE-2026-39490: WordPress JupiterX Core plugin <= 4.14.1 - Broken Access Control vulnerability
Unauthenticated Broken Access Control in JupiterX Core <= 4.14.1 versions.
Metrics
- CVSS v3.1
- 7.5
- Severity
- HIGH
- Fixed in
- —
- Affected Products
- 1
HarborGuard Analysis
Synopsis
This is a broken access control vulnerability in the JupiterX Core WordPress plugin, affecting versions 4.14.1 and earlier. The flaw is reachable over the network and requires no authentication, meaning any remote visitor can trigger it without logging in. Successful exploitation allows an attacker to read protected data, resulting in full confidentiality compromise of whatever the affected access control gates. HarborGuard tracks this advisory and will make a patched-image rebuild available the moment an upstream fix is published.
HarborGuard Coverage
Detection capability is available across every HarborGuard environment: the CVE is ingested from upstream feeds including Patchstack within minutes of publication and matched against all customer images, including custom-built WordPress images containing the JupiterX Core plugin. Any image carrying the affected plugin at version 4.14.1 or earlier is flagged automatically.
AvailableHarborGuard scores this finding at CVSS 7.5 HIGH (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) and is capable of weighting it further against each customer environment's compliance policy before routing the alert to the appropriate team inbox within that organization.
AvailableBecause no upstream fix version has been published yet, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment the upstream maintainer ships a remediated release. For customers with auto-remediation enabled, a rebuild, regression run, and PR against affected workloads will be initiated without manual intervention once a fix version becomes available.
Pending upstreamExploit Conditions
- Network reachabilityRequired
The vulnerable component is exposed over the network, so the attacker must be able to send HTTP requests to the WordPress site hosting the plugin.
- AuthenticationNot required
No account or session token is needed; the attacker can trigger the vulnerability as an anonymous, unauthenticated visitor.
- Victim interactionNot required
No user action such as clicking a link or opening a file is needed for the attack to succeed.
- Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other environmental prerequisites.
Blast Radius
- An attacker reads data that the access control restriction was intended to protect, such as private post content, configuration values, or user metadata stored in WordPress.
- No write access is granted by this vulnerability, so stored records are not modified or deleted.
- Service availability is unaffected; the plugin and the WordPress site continue to operate normally during and after exploitation.
How HarborGuard Handles This
Available on HarborGuard: because no patched version of JupiterX Core has been released, HarborGuard continuously monitors the Patchstack advisory and re-evaluates affected images on every ingest cycle. In the meantime, customers can apply compensating controls through HarborGuard's policy engine: network-policy isolation to restrict public HTTP access to the WordPress deployment, egress filtering to limit lateral movement, and a compliance policy rule that blocks promotion of any image containing JupiterX Core at or below 4.14.1 to production. For customers with auto-remediation enabled, a rebuilt image, regression-test run, and PR opened against affected workloads will be made available automatically as soon as the upstream maintainer publishes a fix. The advisory is flagged for continuous re-check so no manual follow-up is required to catch the patch when it lands.
- artbees / JupiterX Core≤ 4.14.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N