Another serious WordPress plugin vulnerability could put 40,000 sites at risk of attack

LovabledanielsFebruary 20, 202565 Views

Security researchers find high-severity flaw in popular WordPress plugin
It allowed threat actors to run malicious code remotely
A patch was released in late January 2025

Jupiter X Core, a popular WordPress plugin with more than 90,000 users worldwide, is vulnerable to a high-severity flaw that allows threat actors to run arbitrary files on the server, essentially giving them the ability to fully take over target websites, experts have warned.

WordPress security researchers Wordfence revealed it was found to be vulnerable to a “Local File Inclusion to Remote Code Execution” flaw, now tracked as CVE-2025-0366. It has a severity score of 8.8/10 (high) and affects all versions up to, and including 4.8.7.

Jupiter X Core is a companion plugin for the Jupiter X WordPress theme, developed by Artbees. It extends the functionality of the theme by adding advanced features, such as custom page-building elements, theme customizer options, and enhanced design controls. The plugin is primarily used by web designers, developers, and business owners.

SVG uploads as the problem

“This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files,” Wordfence explained. “This can be used to bypass access controls, obtain sensitive data, or achieve code execution.”

Describing how a theoretical attack might look, Wordfence said that an attacker could create a form that allows SVG uploads, upload the file with malicious content, and then include the SVG file in a post, to run the code. The process makes RCE “relatively easy”, it added.

The bug was first spotted in early January 2025, with Artbees coming back with a patch before the end of the month. That being said, if you’re using Jupiter X Core, you should make sure you’re running at least version 4.8.8.

At press time, the WordPress website shows 46.8% of users running the latest version, meaning that more than 47,000 websites are still vulnerable.

Via Infosecurity Magazine

Weekly update

How water vapor is powering the next generation of soft robots

What the Christians of the Holy Land expect from Pope Leo XIV | Israel-Palestine conflict

Pope Leo XIV ‘deeply saddened’ by Gaza, calls for aid and a ceasefire

Weekly Newsletter

Another serious WordPress plugin vulnerability could put 40,000 sites at risk of attack

Leave a comment

Leave a Reply Cancel reply

Explore more

What the Christians of the Holy Land expect from Pope Leo XIV | Israel-Palestine conflict

Pope Leo XIV ‘deeply saddened’ by Gaza, calls for aid and a ceasefire

Iran says nuclear enrichment ‘non-negotiable’ before US talks in Oman | Nuclear Energy News

Trump offers to work with India, Pakistan on Kashmir ‘solution’ | India-Pakistan Tensions News

Scientists say this bismuth-powered chip is 40% faster than Intel’s best – are silicon processors officially finished?

Google is rolling out its Gemini AI chatbot to kids under 13. It’s a risky move

Facebook users are being tricked into downloading malware via fake crypto sites and celebrity-endorsed promotions

This tiny foldable keyboard hides a powerful Windows 11 desktop inside

Get to Know Us

Let's keep in touch