- Security researchers find high-severity flaw in popular WordPress plugin
- It allowed threat actors to run malicious code remotely
- A patch was released in late January 2025
Jupiter X Core, a popular WordPress plugin with more than 90,000 users worldwide, is vulnerable to a high-severity flaw that allows threat actors to run arbitrary files on the server, essentially giving them the ability to fully take over target websites, experts have warned.
WordPress security researchers Wordfence revealed it was found to be vulnerable to a “Local File Inclusion to Remote Code Execution” flaw, now tracked as CVE-2025-0366. It has a severity score of 8.8/10 (high) and affects all versions up to, and including 4.8.7.
Jupiter X Core is a companion plugin for the Jupiter X WordPress theme, developed by Artbees. It extends the functionality of the theme by adding advanced features, such as custom page-building elements, theme customizer options, and enhanced design controls. The plugin is primarily used by web designers, developers, and business owners.
SVG uploads as the problem
“This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files,” Wordfence explained. “This can be used to bypass access controls, obtain sensitive data, or achieve code execution.”
Describing how a theoretical attack might look, Wordfence said that an attacker could create a form that allows SVG uploads, upload the file with malicious content, and then include the SVG file in a post, to run the code. The process makes RCE “relatively easy”, it added.
The bug was first spotted in early January 2025, with Artbees coming back with a patch before the end of the month. That being said, if you’re using Jupiter X Core, you should make sure you’re running at least version 4.8.8.
At press time, the WordPress website shows 46.8% of users running the latest version, meaning that more than 47,000 websites are still vulnerable.
Leave a comment