Introduction
A critical security vulnerability [2], identified as CVE-2025-0366 [1] [2], has been discovered in the Jupiter X Core WordPress plugin [1], which is installed on over 90,000 websites [1] [3]. This vulnerability, disclosed on January 6, 2025 [3], poses significant risks due to its potential to allow remote code execution by attackers with contributor-level privileges.
Description
A critical vulnerability [1] [3], tracked as CVE-2025-0366 [1] [2], has been identified in the Jupiter X Core WordPress plugin [1], which is actively installed on over 90,000 websites [3]. Disclosed by researcher stealthcopter on January 6, 2025 [1], this severe flaw allows authenticated attackers with contributor-level privileges to execute remote code through a combination of Local File Inclusion (LFI) and malicious SVG uploads [3]. The vulnerability has a CVSS score of 8.8 (High) [1], indicating a significant impact on confidentiality, integrity [3], and availability [3], and arises from two main issues in the plugin’s file handling logic:
-
Unrestricted SVG File Upload: The plugin’s Ajax_Handler class permits contributors to upload SVG files without adequate content validation. Although filenames are randomized using PHP’s uniqid() function [3], this method is predictable if an attacker knows the upload timestamp [3], enabling the inclusion of malicious SVG files containing embedded PHP code [2].
-
Improper Input Sanitization: The getsvg() method in the plugin’s Utils class fails to properly sanitize user input, allowing for path traversal attacks. Attackers can manipulate the $filename parameter to include arbitrary files [2], leading to remote code execution by uploading a malicious SVG and forcing its inclusion through crafted requests [2], particularly via the plugin’s video widget [3].
The vulnerability poses significant risks [2], including privilege escalation for low-privilege contributors [2], data exfiltration of sensitive files such as wp-config.php [2], and the potential for persistent access through backdoors [2]. A patch addressing this vulnerability was released by the plugin’s developer [1], Artbees [1] [3], on January 29, 2025 [1] [3], which implemented SHA-256 filename hashing and strict file allowlisting [3]. Users are strongly urged to update to version 4.8.8 or higher immediately to mitigate the risk [1].
To further reduce exposure, it is recommended that administrators audit user roles to minimize the number of contributor accounts and implement web application firewalls (WAFs) with specific LFI/RCE rulesets [2]. Additionally, reviewing custom themes and plugins for similar file handling flaws [2], particularly in SVG/XML parsers [2], is advised [2] [3]. Proactive vulnerability management is essential [2], especially given the widespread use of WordPress. Security experts recommend adopting machine learning-based file validation to detect anomalous content in SVGs and enforcing zero-trust policies for file uploads [3]. Regular code audits for path traversal flaws and implementing least-privilege access models are crucial for mitigating similar risks [3]. Administrators should prioritize automated scanning tools and subscribe to threat intelligence feeds for real-time alerts to enhance security measures.
Conclusion
The CVE-2025-0366 vulnerability in the Jupiter X Core WordPress plugin underscores the critical need for robust security practices. Immediate patching to version 4.8.8 or higher is essential to mitigate risks. Future security strategies should focus on minimizing contributor accounts, employing web application firewalls [2], and conducting regular audits. Embracing advanced technologies like machine learning for file validation and maintaining a zero-trust approach to file uploads will be vital in safeguarding against similar vulnerabilities. Proactive measures, including automated scanning and real-time threat intelligence, are crucial for maintaining a secure WordPress environment.
References
[1] https://www.infosecurity-magazine.com/news/wordpress-plugin-flaw-exposes/
[2] https://cybersecuritynews.com/90000-wordpress-sites-vulnerable/
[3] https://gbhackers.com/90000-wordpress-sites-exposed/
