CVE-2025-0366

High

Published: 01 February 2025

Published

01 February 2025

Modified

08 April 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0064 70.7th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

The Jupiter X Core plugin for WordPress is vulnerable to Local File Inclusion to Remote Code Execution in all versions up to, and including, 4.8.7 via the get_svg() function. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution. In this specific case, an attacker can create a form that allows SVG uploads, upload an SVG file with malicious content and then include the SVG file in a post to achieve remote code execution. This means it is relatively easy to gain remote code execution as a contributor-level user and above by default.

Security Summary

CVE-2025-0366 is a Local File Inclusion vulnerability leading to Remote Code Execution in the Jupiter X Core plugin for WordPress, affecting all versions up to and including 4.8.7. The flaw resides in the get_svg() function, which enables the inclusion and execution of arbitrary files on the server. It carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and is classified under CWE-98.

Authenticated attackers with Contributor-level access or higher can exploit this vulnerability to achieve remote code execution. The attack involves creating a form that permits SVG uploads, uploading an SVG file embedded with malicious PHP code, and then including that SVG file in a post via the vulnerable function. This grants the ability to execute arbitrary PHP code, bypass access controls, and obtain sensitive data.

Patches addressing this issue are available in WordPress plugin trac changesets such as 3231122, which modify relevant files including ajax-handler.php in the raven forms module and video.php in the video widgets module of jupiterx-core. Further details on the vulnerability and exploitation chain are provided in advisories from Wordfence and security researcher Stealthcopter at the referenced URLs.

Details

CWE(s): CWE-98NVD-CWE-Other

Affected Products

artbees

jupiter x core

≤ 4.8.8

References

https://plugins.trac.wordpress.org/changeset/3231122/jupiterx-core/trunk/includes/extensions/raven/includes/modules/forms/classes/ajax-handler.php
Patch · security@wordfence.com
https://plugins.trac.wordpress.org/changeset/3231122/jupiterx-core/trunk/includes/extensions/raven/includes/modules/video/widgets/video.php
Patch · security@wordfence.com
https://sec.stealthcopter.com/jupiterx-chaining-svg-to-rce/
security@wordfence.com
https://www.wordfence.com/threat-intel/vulnerabilities/id/1a20dc1d-eb7c-47ac-ad9a-ec4c0d5db62e?source=cve
Third Party Advisory · security@wordfence.com