CVE-2025-0366
📋 TL;DR
The Jupiter X Core WordPress plugin has a Local File Inclusion vulnerability that leads to Remote Code Execution. Authenticated attackers with Contributor-level access or higher can upload malicious SVG files and execute arbitrary PHP code on the server. This affects all WordPress sites using Jupiter X Core version 4.8.7 or earlier.
💻 Affected Systems
- Jupiter X Core WordPress Plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete server compromise allowing attackers to execute arbitrary code, steal sensitive data, install backdoors, or pivot to other systems.
Likely Case
Attackers gain shell access to the web server, deface websites, steal database credentials, or install cryptocurrency miners.
If Mitigated
Limited impact if proper file upload restrictions and user role management are in place, though risk remains for Contributor-level users.
🎯 Exploit Status
Requires authenticated access (Contributor role or higher) and ability to upload SVG files through forms.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version 4.8.8 or later
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3231122/jupiterx-core
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find Jupiter X Core and update to version 4.8.8 or later. 4. Verify update completes successfully.
🔧 Temporary Workarounds
Restrict SVG Uploads
allDisable SVG file uploads through WordPress forms or implement strict file type validation.
Add to wp-config.php: define('ALLOW_UNFILTERED_UPLOADS', false);
Limit User Roles
allRemove Contributor role access or restrict form submission capabilities.
Use WordPress role management plugins to modify capabilities
🧯 If You Can't Patch
- Temporarily disable the Jupiter X Core plugin if not essential
- Implement web application firewall rules to block SVG file uploads and suspicious PHP execution attempts
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel > Plugins > Installed Plugins for Jupiter X Core version 4.8.7 or earlier.Check Version:
wp plugin list --name=jupiterx-core --field=versionVerify Fix Applied:
Confirm Jupiter X Core plugin version is 4.8.8 or later in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unusual SVG file uploads via forms
- PHP execution from unexpected file paths
- Multiple failed login attempts followed by successful Contributor login
Network Indicators:
- POST requests to /wp-admin/admin-ajax.php with SVG upload parameters
- Unusual outbound connections from web server
SIEM Query:
source="wordpress.log" AND ("svg" AND "upload") OR ("admin-ajax.php" AND "action=get_svg")🔗 References
- https://plugins.trac.wordpress.org/changeset/3231122/jupiterx-core/trunk/includes/extensions/raven/includes/modules/forms/classes/ajax-handler.php
- https://plugins.trac.wordpress.org/changeset/3231122/jupiterx-core/trunk/includes/extensions/raven/includes/modules/video/widgets/video.php
- https://www.wordfence.com/threat-intel/vulnerabilities/id/1a20dc1d-eb7c-47ac-ad9a-ec4c0d5db62e?source=cve
