A vulnerability has been discovered and patched in the popular Jupiter X Core WordPress plugin, which boasts over 90,000 active installations. The vulnerability, tracked as CVE-2025-0366, could allow authenticated attackers to gain remote code execution (RCE) on vulnerable sites.
The vulnerability, which received a CVSS score of 8.8, is a “SVG Upload to Local File Inclusion” vulnerability. According to Wordfence, “This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files.” This means that even users with limited privileges could potentially exploit the flaw to compromise an entire website.
The vulnerability resides within the get_svg() function of the Jupiter X Core plugin. Wordfence explained how the exploit chain works: “an attacker can create a form that allows SVG uploads, upload an SVG file with malicious content and then include the SVG file in a post to achieve remote code execution. This means it is relatively easy to gain remote code execution as a contributor-level user and above by default.”
The discovery of this vulnerability is attributed to the security researcher stealthcopter, who responsibly reported it through the Wordfence Bug Bounty Program, earning a reward of $782.00. Wordfence commended stealthcopter’s “outside of the box” thinking, noting that while SVG upload vulnerabilities are often limited to Cross-Site Scripting (XSS) attacks, this particular instance allowed for RCE, making it significantly more dangerous.
The technical analysis provided by Wordfence reveals that the plugin’s Ajax_Handler class uses the upload_files() function to handle SVG uploads. While filenames are randomized using the uniqid() function, Wordfence pointed out a weakness: “this function uses the server’s microtime to determine the random value, so if the exact time of upload is known, the generated value can be determined.” This, combined with the lack of proper sanitization in the get_svg() method, creates the opening for attackers to upload and execute malicious code.
Wordfence urged users to update to the latest patched version of Jupiter X Core, version 4.8.8, immediately. While the likelihood of widespread exploitation is considered lower due to the contributor-level access requirement, the potential impact of a successful attack is substantial. Website owners using the Jupiter X theme are strongly advised to take this update seriously and apply it as soon as possible to protect their sites from potential compromise. As always, maintaining up-to-date plugins and themes is a crucial aspect of overall WordPress security.
Related Posts:
- Sophos Uncovers Rising Threat of SVG-Based Phishing Attacks
- SVG Files: The Emerging Vector of Cyber Threats
- Breaking News: Widespread WordPress Plugin Compromise in Active Supply Chain Attack
- SVG Attacks: How GULoader Malware Sneaks into Your Network
- Canva Uncovers Critical Font Vulnerabilities, Exposes Cybersecurity Risks
