Local File Inclusion and Remote Code Execution in Jupiter X Core Plugin for WordPress

CVE-2025-0366

What is CVE-2025-0366?

CVE-2025-0366 is a vulnerability found in the Jupiter X Core plugin for WordPress, developed by Artbees. This plugin is widely used to enhance the functionality and customization of WordPress sites. The vulnerability permits authenticated users with Contributor-level access or higher to exploit the plugin’s get_svg() function, leading to Local File Inclusion and potential Remote Code Execution. This poses a serious threat to organizations utilizing the plugin, as it enables attackers to execute arbitrary PHP code on the server, compromising the integrity and confidentiality of their systems.

Technical Details

The vulnerability exists in all versions of the Jupiter X Core plugin up to and including version 4.8.7. It can be triggered by an authenticated attacker creating a form that allows SVG file uploads. By uploading a malicious SVG file and including it in a post, the attacker can execute remote code on the server. This exploitation process underscores a significant flaw in input validation and security controls within the plugin, making it accessible to users with minimal permissions.

Potential impact of CVE-2025-0366

1. Unauthorized Code Execution: The vulnerability allows attackers to execute arbitrary code on the server, leading to potential system compromise. This level of access could result in the installation of malware or manipulation of website content.

2. Data Breach Risks: With the capability to access sensitive data through code execution, this vulnerability heightens the risk of data breaches. Attackers may extract confidential information, including user credentials and proprietary content.

3. Bypass of Access Controls: The exploit enables attackers to bypass existing access controls, granting them elevated privileges. This undermines the security posture of the organization and can lead to further exploitation of additional vulnerabilities within the system.

References