PHP Object Injection Vulnerability in Jupiter X Core Plugin for WordPress
CVE-2025-2105

8.1HIGH

Key Information:

Vendor: WordPress
Status: Jupiter X Core
Vendor: CVE Published:; 26 April 2025

What is CVE-2025-2105?

The Jupiter X Core plugin for WordPress is vulnerable to PHP Object Injection due to unsafe deserialization of untrusted input via the 'file' parameter in the 'raven_download_file' function. This weakness allows attackers to potentially inject malicious PHP Objects through a PHAR file if specific conditions are met. While the vulnerable software lacks a known PHP Object Pollution (POP) chain, the risk increases if other plugins or themes with a POP chain are present. Attackers may exploit this vulnerability if a downloadable file form is available on the site, making it particularly concerning for sites allowing file uploads. Alternatively, contributors and higher user roles can create the necessary forms for exploitation.

Affected Version(s)

Jupiter X Core * <= 4.8.11

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://wordpress.org/plugins/jupiterx-core/

https://plugins.trac.wordpress.org/changeset/3279676/jupi...

CVSS V3.1

Score:

8.1

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 26, 2025
Vulnerability Reserved
Mar 7, 2025

Credit

Nguyen Tan Phat