A severe security flaw in the Jupiter X Core plugin for WordPress exposed over 90,000 websites to Local File Inclusion (LFI) and Remote Code Execution (RCE) attacks.
The vulnerability tracked as CVE-2025-0366 with a CVSS score of 8.8 (High), enables authenticated attackers with contributor-level access to upload malicious SVG files and execute arbitrary code on vulnerable servers.
The exploit hinges on two chained weaknesses in Jupiter X Core, a companion plugin required for the premium Jupiter X theme.
The plugin’s upload_files() function (part of the Ajax_Handler class) allowed contributors to upload SVG files without proper content validation.
While file names were randomized using PHP’s uniqid(), the reliance on server microtime meant attackers could predict filenames if upload timing was known. This flaw permitted malicious SVG files containing embedded PHP code, such as:
The get_svg() method in the plugin’s Utils class improperly sanitized user input, enabling path traversal. Attackers could manipulate the $file_name parameter to include arbitrary files:
By uploading a malicious SVG and forcing its inclusion via crafted requests, attackers achieve RCE. Notably, the researcher stealth copter discovered the flaw through Wordfence’s Bug Bounty Program, earning a $782 reward.
The vulnerability’s severity arises from its low barrier to exploitation:
Artbees, the plugin’s developer, released a patched version (4.8.8) on January 29, 2025, addressing:
Hence, users are advised to update to Jupiter X Core ≥4.8.8, audit user roles in minimizing contributor accounts, and implement web application firewalls (WAFs) with LFI/RCE rulesets.
Additionally, review custom themes/plugins for similar file handling flaws, particularly in SVG/XML parsers.
As WordPress powers 43% of the web, proactive vulnerability management remains critical. Administrators should prioritize automated scanning tools and subscribe to threat intelligence feeds like Wordfence Intelligence for real-time alerts.
Free Webinar: Better SOC with Interactive Malware Sandbox for Incident Response and Threat Hunting – Register Here
The post 90,000 WordPress Sites Vulnerable to Local File Inclusion Attacks appeared first on Cyber Security News.