- Security researchers find high severity flaw in the popular WordPress plugin
- This allowed the threat actors to execute malicious remote code
- A patch was released at the end of January 2025
Jupiter X Core, a popular WordPress plugin with more than 90,000 users worldwide, is vulnerable to a lack of high severity which allows threat actors to execute arbitrary files on the server, essentially giving them the possibility of taking full Target websites, experts warned have warned.
The researchers of WordPress Security Wordfence revealed that it was proven vulnerable to an “inclusion of local files to the execution of the remote code”, now followed under the name of CVE-2025-0366. It has a severity score of 8.8 / 10 (high) and affects all versions until and comprising 4.8.7.
Jupiter X Core is a companion plugin for the Jupiter X WordPress theme, developed by Artbees. It extends the theme features by adding advanced features, such as personalized page creation elements, theme customization options and improved design controls. The plugin is mainly used by website designers, developers and business owners.
SVG is downloaded as a problem
“This allows authenticated attackers, with access to the contributors and above, include and run arbitrary files on the server, allowing the execution of any PHP code in these files,” said WordFence. “This can be used to bypass access controls, obtain sensitive data or carry out the code execution.”
Describing what a theoretical attack could look like, WordFence said that an attacker could create a form that allows SVG downloads, download the file with malicious content, then include the SVG file in a post, to run the code. The process makes RCE “relatively easy”, he added.
The bug was spotted for the first time in early January 2025, with Artbees returning with a patch before the end of the month. That being said, if you use Jupiter X Core, you must make sure that you are running at least version 4.8.8.
At the time of the press, the WordPress website shows 46.8% of users running the latest version, which means that more than 47,000 websites are still vulnerable.
Via Infosecurity magazine
