A essential vulnerability within the Jupiter X Core WordPress plugin, used on over 90,000 web sites, has been recognized by safety researchers.
The flaw, found on January 6, permits attackers with contributor privileges or larger to add malicious SVG information and execute distant code on weak servers. The difficulty (CVE-2025-0366) has been given a CVSS rating of 8.8 (Excessive).
Researchers from Wordfence disclosed that the vulnerability stems from improper sanitization of SVG file uploads and the plugin’s use of the get_svg() perform, enabling attackers to bypass safety controls.
The flaw permits attackers to add specifically crafted SVG information containing PHP code. By chaining this with a vulnerability within the get_svg() perform, malicious information might be executed on the server.
“This makes it doable for authenticated attackers, with Contributor-level entry and above, to incorporate and execute arbitrary information on the server, permitting the execution of any PHP code in these information,” Wordfence wrote.
“This can be utilized to bypass entry controls, receive delicate knowledge or obtain code execution.”
The vulnerability was reported by the researcher stealthcopter on January 6 2025, by way of the Wordfence Bug Bounty Program, incomes a $782 bounty.
A patch was launched on January 29 2025 by the plugin’s developer, Artbees, that addresses the problem.
“Whereas we don’t count on this vulnerability to be broadly exploited because of the minimal user-level requirement, vulnerabilities permitting for the add of .svg information are often restricted to Cross-Website Scripting payloads and don’t usually permit distant code execution through file add, which makes this vulnerability notably fascinating,” Wordfence defined.
Customers of Jupiter X Core are strongly urged to replace to model 4.8.8 instantly.
Specialists additionally advocate adopting proactive measures, reminiscent of enabling automated updates for plugins and themes at any time when doable, to forestall exploitation. Frequently auditing put in plugins and eradicating unused or outdated ones may also scale back the assault floor.
