90,000 WordPress Sites Vulnerable to Local File Inclusion Attacks

19 February 2025

A severe security flaw in the Jupiter X Core plugin for WordPress exposed over 90,000 websites to Local File Inclusion (LFI) and Remote Code Execution (RCE) attacks.

The vulnerability tracked as CVE-2025-0366 with a CVSS score of 8.8 (High), enables authenticated attackers with contributor-level access to upload malicious SVG files and execute arbitrary code on vulnerable servers.

The exploit hinges on two chained weaknesses in Jupiter X Core, a companion plugin required for the premium Jupiter X theme.

Unrestricted SVG File Upload

The plugin’s upload_files() function (part of the Ajax_Handler class) allowed contributors to upload SVG files without proper content validation.

While file names were randomized using PHP’s uniqid(), the reliance on server microtime meant attackers could predict filenames if upload timing was known. This flaw permitted malicious SVG files containing embedded PHP code, such as:

Local File Inclusion via get_svg()

The get_svg() method in the plugin’s Utils class improperly sanitized user input, enabling path traversal. Attackers could manipulate the $file_name parameter to include arbitrary files:

By uploading a malicious SVG and forcing its inclusion via crafted requests, attackers achieve RCE. Notably, the researcher stealth copter discovered the flaw through Wordfence’s Bug Bounty Program, earning a $782 reward.

The vulnerability’s severity arises from its low barrier to exploitation:

Privilege Escalation: Contributors, typically low-privilege users, could gain full server control.
Data Exfiltration: Attackers could access sensitive files like wp-config.php or database credentials.
Persistence: Backdoors could be embedded via webshells, enabling long-term access.

Mitigation and Patch

Artbees, the plugin’s developer, released a patched version (4.8.8) on January 29, 2025, addressing:

Strict File Validation: Restricting SVG uploads to trusted users and sanitizing content.
Path Sanitization: Implementing realpath checks in get_svg() to block directory traversal.

Hence, users are advised to update to Jupiter X Core ≥4.8.8, audit user roles in minimizing contributor accounts, and implement web application firewalls (WAFs) with LFI/RCE rulesets.

Additionally, review custom themes/plugins for similar file handling flaws, particularly in SVG/XML parsers.

As WordPress powers 43% of the web, proactive vulnerability management remains critical. Administrators should prioritize automated scanning tools and subscribe to threat intelligence feeds like Wordfence Intelligence for real-time alerts.

Free Webinar: Better SOC with Interactive Malware Sandbox for Incident Response and Threat Hunting – Register Here

The post 90,000 WordPress Sites Vulnerable to Local File Inclusion Attacks appeared first on Cyber Security News.

>>More