CVE-2025-2105
📋 TL;DR
The Jupiter X Core WordPress plugin is vulnerable to PHP object injection via deserialization of untrusted input in the 'file' parameter. This vulnerability requires a separate plugin or theme with a POP chain to be exploitable for serious impact. Unauthenticated attackers can exploit it if a form with file download action exists, otherwise Contributor-level users or higher can create such forms.
💻 Affected Systems
- Jupiter X Core WordPress Plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
If combined with a POP chain from another plugin/theme, attackers could execute arbitrary code, delete files, or exfiltrate sensitive data leading to complete site compromise.
Likely Case
Limited impact due to lack of native POP chain; attackers may cause PHP errors or limited disruption unless vulnerable plugins/themes are present.
If Mitigated
With proper input validation and security plugins, exploitation attempts would be blocked or logged with minimal impact.
🎯 Exploit Status
Exploitation requires specific conditions: file upload capability and either existing vulnerable forms or user access to create them. No known POP chain in Jupiter X itself reduces immediate weaponization.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Versions after 4.8.11
Vendor Advisory: https://wordpress.org/plugins/jupiterx-core/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find Jupiter X Core. 4. Click 'Update Now' if available. 5. If no update shows, manually download latest version from WordPress.org and replace plugin files.
🔧 Temporary Workarounds
Disable vulnerable function
allRemove or disable the raven_download_file function in the plugin code
Edit wp-content/plugins/jupiterx-core/includes/extensions/raven/includes/utils.php and comment out or remove the vulnerable function
Restrict file uploads
allLimit file upload capabilities to trusted users only
Use WordPress security plugins to restrict file uploads by user role
🧯 If You Can't Patch
- Disable the Jupiter X Core plugin entirely until patched
- Implement web application firewall rules to block requests containing PHAR file references in parameters
🔍 How to Verify
Check if Vulnerable:
Check plugin version in WordPress admin → Plugins → Jupiter X Core. If version is 4.8.11 or lower, you are vulnerable.Check Version:
wp plugin list --name=jupiterx-core --field=version (if WP-CLI installed) or check WordPress admin panelVerify Fix Applied:
Verify plugin version is higher than 4.8.11. Check that the raven_download_file function in utils.php includes proper input validation.📡 Detection & Monitoring
Log Indicators:
- POST requests to */wp-admin/admin-ajax.php with 'action=raven_download_file' parameter
- PHP errors related to unserialize() or PHAR deserialization
- Unexpected file operations in plugin directories
Network Indicators:
- HTTP requests with 'file' parameter containing PHAR:// references
- Unusual file download patterns from WordPress sites
SIEM Query:
source="web_logs" AND uri="*/wp-admin/admin-ajax.php" AND (params.action="raven_download_file" OR params.file CONTAINS "PHAR://")