CVE-2025-0366
First published: Sat Feb 01 2025(Updated: )
The Jupiter X Core plugin for WordPress is vulnerable to Local File Inclusion to Remote Code Execution in all versions up to, and including, 4.8.7 via the get_svg() function. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution. In this specific case, an attacker can create a form that allows SVG uploads, upload an SVG file with malicious content and then include the SVG file in a post to achieve remote code execution. This means it is relatively easy to gain remote code execution as a contributor-level user and above by default.
Credit: security@wordfence.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Artbees Jupiter X Core | <=4.8.7 | |
| Jupiter X Core | <4.8.8 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://plugins.trac.wordpress.org/changeset/3231122/jupiterx-core/trunk/includes/extensions/raven/includes/modules/forms/classes/ajax-handler.php
- https://plugins.trac.wordpress.org/changeset/3231122/jupiterx-core/trunk/includes/extensions/raven/includes/modules/video/widgets/video.php
- https://www.wordfence.com/threat-intel/vulnerabilities/id/1a20dc1d-eb7c-47ac-ad9a-ec4c0d5db62e?source=cve
Frequently Asked Questions
What is the severity of CVE-2025-0366?
CVE-2025-0366 is considered a critical severity vulnerability due to its potential for remote code execution.
How do I fix CVE-2025-0366?
To fix CVE-2025-0366, update the Jupiter X Core plugin to the latest version that is not affected by this vulnerability.
Who is affected by CVE-2025-0366?
Authenticated users with Contributor-level access and above using versions up to and including 4.8.7 of the Jupiter X Core plugin are affected by CVE-2025-0366.
What type of vulnerability is CVE-2025-0366?
CVE-2025-0366 is classified as a Local File Inclusion vulnerability that can lead to Remote Code Execution.
What function is responsible for CVE-2025-0366?
The get_svg() function in the Jupiter X Core plugin is responsible for the CVE-2025-0366 vulnerability.
- agent/type
- agent/description
- agent/first-publish-date
- agent/severity
- agent/weakness
- agent/source
- agent/references
- agent/author
- agent/guess-ai
- agent/software-canonical-lookup
- agent/last-modified-date
- agent/remedy
- agent/tags
- agent/softwarecombine
- agent/event
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup-request
- vendor/jupiter
- canonical/artbees jupiter x core
- vendor/artbees
- canonical/jupiter x core