A Newly Discovered WordPress Vulnerability Puts 90,000 Websites at Risk

A critical security flaw in the Jupiter X Core plugin for WordPress has been identified, potentially exposing over 90,000 websites to Local File Inclusion (LFI) and Remote Code Execution (RCE) attacks. This vulnerability, tracked as CVE-2025-0366, has been assigned a CVSS score of 8.8 (High), allowing authenticated users with contributor-level access to upload malicious SVG files and execute arbitrary code on the affected servers.

The Core of the Vulnerability

Jupiter X Core is an essential companion plugin for the premium Jupiter X theme, containing two key security weaknesses that attackers can exploit:

1. Unrestricted SVG File Upload

The plugin’s upload_files() function (within the Ajax_Handler class) permitted contributors to upload SVG files without proper content validation. While file names were randomized using PHP’s uniqid() function, the reliance on server microtime made it possible for attackers to predict filenames if they could estimate the upload timing. This flaw allowed them to upload malicious SVG files containing embedded PHP code, making remote code execution feasible.

2. Local File Inclusion (LFI) via get_svg()

The get_svg() method (inside the plugin’s Utils class) failed to properly sanitize user input, making it vulnerable to path traversal attacks. Attackers could manipulate the $file_name parameter to access arbitrary files on the server.

By uploading a malicious SVG file and injecting it into the system via crafted requests, attackers could execute remote code on the server, gaining full control over the affected site.

This vulnerability was first discovered through Wordfence’s Bug Bounty Program by a researcher known as stealth_copter, who received a $782 reward for reporting the issue.

Why This Vulnerability Is Critical

✔ Privilege Escalation: Low-level contributors could gain full administrative control of the server.

✔ Data Exposure: Attackers could access sensitive files such as wp-config.php, exposing database credentials and other critical information.

✔ Persistent Backdoors: Hackers could install web shells and backdoors to maintain long-term access to compromised servers.

Mitigation and Security Patch

The plugin developer Artbees released a patched version (4.8.8) on January 29, 2025, addressing the following issues:

✅ Strict File Validation – Only trusted users can now upload SVG files, and their content undergoes additional security filtering.

✅ Path Sanitization – The get_svg() function now includes realpath checks, effectively blocking directory traversal attacks.

Recommendations for Users

🔹 Update the Plugin – Ensure you are using Jupiter X Core version 4.8.8 or later.

🔹 Review User Roles – Minimize the number of contributor accounts and restrict permissions only to essential users.

🔹 Use a Web Application Firewall (WAF) – Deploy LFI/RCE protection to prevent exploitation attempts.

🔹 Audit Custom Themes and Plugins – Check for similar SVG/XML parsing vulnerabilities in other extensions.

🔹 Automated Security Scanning – Regularly scan WordPress sites with security tools to detect vulnerabilities before they are exploited.

🔹 Subscribe to Threat Intelligence Services – Stay informed about real-time security threats via Wordfence Intelligence or similar platforms.

Since WordPress powers 43% of the web, ensuring robust security is critical. Website administrators must take proactive measures to safeguard their sites from potential attacks. Following the security recommendations outlined above will significantly reduce the risk of exploitation and help maintain the integrity of WordPress websites. 🚀