Another serious WordPress plugin vulnerability could put 40,000 sites at risk of attack

News
By published

A bug was found in Jupiter X Core, a popular WordPress plugin with 90,000 installations

Laptop computer displaying logo of WordPress, a free and open-source content management system (CMS)
(Image credit: Shutterstock/monticello)
  • Security researchers find high-severity flaw in popular WordPress plugin
  • It allowed threat actors to run malicious code remotely
  • A patch was released in late January 2025

Jupiter X Core, a popular WordPress plugin with more than 90,000 users worldwide, is vulnerable to a high-severity flaw that allows threat actors to run arbitrary files on the server, essentially giving them the ability to fully take over target websites, experts have warned.

WordPress security researchers Wordfence revealed it was found to be vulnerable to a “Local File Inclusion to Remote Code Execution” flaw, now tracked as CVE-2025-0366. It has a severity score of 8.8/10 (high) and affects all versions up to, and including 4.8.7.

Jupiter X Core is a companion plugin for the Jupiter X WordPress theme, developed by Artbees. It extends the functionality of the theme by adding advanced features, such as custom page-building elements, theme customizer options, and enhanced design controls. The plugin is primarily used by web designers, developers, and business owners.

SVG uploads as the problem

“This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files,” Wordfence explained. “This can be used to bypass access controls, obtain sensitive data, or achieve code execution.”

Describing how a theoretical attack might look, Wordfence said that an attacker could create a form that allows SVG uploads, upload the file with malicious content, and then include the SVG file in a post, to run the code. The process makes RCE “relatively easy”, it added.

The bug was first spotted in early January 2025, with Artbees coming back with a patch before the end of the month. That being said, if you’re using Jupiter X Core, you should make sure you’re running at least version 4.8.8.

At press time, the WordPress website shows 46.8% of users running the latest version, meaning that more than 47,000 websites are still vulnerable.

Via Infosecurity Magazine

You might also like

TOPICS
Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.

Read more
WordPress
Another top WordPress plugin found carrying critical security flaws
Laptop computer displaying logo of WordPress, a free and open-source content management system (CMS)
Top WordPress plugins found to have some serious security flaws, so make sure you're protected
Laptop computer displaying logo of WordPress, a free and open-source content management system (CMS)
Over a million WordPress sites exposed to attack from W3 Total Cache plugin flaw
WordPress
WordPress users beware - these popular theme plugins have some major security issues
Wordpress brand logo on computer screen. Man typing on the keyboard.
Thousands of WordPress sites targeted with malicious plugin backdoor attacks
Laptop computer displaying logo of WordPress, a free and open-source content management system (CMS)
Thousands of WordPress websites hit in new malware attack, here's what we know
Latest in Security
UK Prime Minister Sir Kier Starmer
The UK releases timeline for migration to post-quantum cryptography
ransomware avast
Ransomware attacks are costing Government offices a month of downtime on average
Lock on Laptop Screen
Data breach at Pennsylvania education union potentially exposes 500,000 victims
Data leak
Top collectibles site leaks personal data of nearly a million users
Spyware
Stalkerware data breach potentially hits over 2 million users, including thousands of Apple devices
An American flag flying outside the US Capitol building against a blue sky
Five Eyes "cannot replace US intel in Ukraine", claims former US Cyber Command Chief
Latest in News
The Samsung Galaxy S21 series of phones lying face down.
Samsung announces One UI 7 is coming to older phones after all, but the launch is still a mess
Using Zipped files and folders in Windows 11
Windows 11 should soon be faster at extracting files from compressed ZIPs – and it’s about time, frankly
The player prepares for a fight in Metal Eden.
I loved the bits of Metal Eden that I played and soon you'll be able to try it too thanks to this upcoming free demo
Apple iPhone 16 Pro HANDS ON
The iPhone 18 might get a major chip upgrade after all
UK Prime Minister Sir Kier Starmer
The UK releases timeline for migration to post-quantum cryptography
Oppo Watch Mini X2 teaser
Oppo Watch X2 Mini teaser could be our first glimpse of the smaller OnePlus Watch 3
More about security
UK Prime Minister Sir Kier Starmer

The UK releases timeline for migration to post-quantum cryptography

ransomware avast

Ransomware attacks are costing Government offices a month of downtime on average
The Samsung Galaxy S21 series of phones lying face down.

Samsung announces One UI 7 is coming to older phones after all, but the launch is still a mess

See more latest
Most Popular
The Samsung Galaxy S21 series of phones lying face down.
Samsung announces One UI 7 is coming to older phones after all, but the launch is still a mess
The player prepares for a fight in Metal Eden.
I loved the bits of Metal Eden that I played and soon you'll be able to try it too thanks to this upcoming free demo
Attacking an enemy in FBC: Firebreak.
I can't wait to obliterate legions of sticky notes in FBC: Firebreak
Using Zipped files and folders in Windows 11
Windows 11 should soon be faster at extracting files from compressed ZIPs – and it’s about time, frankly
Philips Hue
Setting up your Philips Hue lights is now quicker and easier than ever thanks to the latest app update
Apple iPhone 16 Pro HANDS ON
The iPhone 18 might get a major chip upgrade after all
Apple Intelligence Bella Ramsey ad
The Bella Ramsey Apple Intelligence ad that disappeared, and why Apple is now facing a false advertising lawsuit
System Shock 2: 25th Anniversary Remaster
System Shock 2: 25th Anniversary Remaster is coming this year, and I can't wait to be creeped out by SHODAN all over again
Oppo Watch Mini X2 teaser
Oppo Watch X2 Mini teaser could be our first glimpse of the smaller OnePlus Watch 3
UK Prime Minister Sir Kier Starmer
The UK releases timeline for migration to post-quantum cryptography