A severe vulnerability has been discovered in the Jupiter X Core WordPress plugin, potentially affecting over 90,000 websites. This flaw, identified by cybersecurity experts, allows attackers with certain user privileges to upload harmful SVG files, leading to remote code execution on compromised servers.

Details of the Vulnerability

The vulnerability, tracked as CVE-2025-0366, was uncovered on January 6, 2025. It poses a significant threat, with a CVSS score of 8.8, indicating a high level of risk. The flaw enables attackers with contributor-level access or higher to exploit the plugin's improper SVG file sanitization and the get_svg() function, bypassing security measures.

Technical Breakdown

The core issue lies in the plugin's handling of SVG file uploads. Attackers can upload specially crafted SVG files containing PHP code. By exploiting a vulnerability in the get_svg() function, these files can be executed on the server, allowing attackers to execute arbitrary code.

  • Improper Sanitization: The plugin fails to adequately sanitize SVG uploads, opening the door for malicious files.
  • Function Exploitation: The get_svg() function can be manipulated to execute harmful code on the server.

Response and Mitigation

The vulnerability was reported by a researcher known as stealthcopter through the Wordfence Bug Bounty Program, earning a reward of $782. A patch was released on January 29, 2025, by Artbees, the plugin's developer, addressing the security flaw.

Despite the patch, users are strongly advised to update to version 4.8.8 of Jupiter X Core immediately. Experts recommend enabling automatic updates for all plugins and themes to prevent similar vulnerabilities from being exploited in the future.

Conclusion

This vulnerability highlights the importance of maintaining up-to-date security measures for WordPress plugins. Users should regularly audit their installed plugins, remove outdated ones, and adopt proactive security practices to minimize potential attack vectors. For more information on WordPress plugin vulnerabilities, visit Security Flaws in WordPress Woffice Theme Prompts Urgent Update.

The link has been copied!