A critical security flaw, identified as CVE-2025-0366, has been found in the Jupiter X Core WordPress plugin, which is actively used on over 90,000 websites. The vulnerability allows authenticated attackers with contributor-level access to execute remote code through a combination of Local File Inclusion (LFI) and the uploading of malicious SVG files.
Key details of the vulnerability and its resolution:
- Discovery and Bounty: Researcher stealthcopter discovered the vulnerability through the Wordfence Bug Bounty Program, receiving a reward of $782. The Wordfence Bug Bounty Program has resolved over 1,200 vulnerabilities since 2022.
- Technical Breakdown: The vulnerability involves unrestricted SVG uploads and Local File Inclusion via the get_svg() method. The plugin’s Ajax_Handler class allowed uploading SVG files without proper content validation. By manipulating the $file_name parameter in the get_svg() method, attackers could include arbitrary files, including PHP files with malicious payloads. Successful exploitation requires uploading a malicious SVG, predicting the randomized filename, and triggering inclusion via the plugin’s video widget.
- Risk and Impact: While contributor-level access limits immediate risk, attackers could escalate privileges, exfiltrate data, or deploy malware. The CVSS score is 8.8 (High), reflecting a severe impact on confidentiality, integrity, and availability. 60% of vulnerabilities originate from third-party extensions.
- Timeline of Remediation:
- Wordfence released firewall rules to Premium users on January 13, 2025.
- Free users received protection on February 12.
- Developer Artbees patched the issue in version 4.8.8 on January 29, implementing SHA-256 filename hashing and strict file allowlisting.
- Mitigation Measures: Users are urged to update immediately and audit contributor permissions. Security experts recommend adopting machine learning-based file validation to detect anomalous content in SVGs and enforcing zero-trust policies for file uploads. Regular code audits for path traversal flaws and least-privilege access models are also critical. Administrators are encouraged to subscribe to threat intelligence feeds like Wordfence Intelligence for real-time alerts.
The incident highlights ongoing challenges in WordPress plugin security, particularly concerning third-party extensions and the risks associated with SVG files. Future developments may include the adoption of more advanced security measures, such as machine learning-based file validation and zero-trust policies for file uploads, to mitigate similar risks.
Plugin Vulnerability 
