Another serious WordPress plugin vulnerability could put 40,000 sites at risk of attack

News
By
published

A bug was found in Jupiter X Core, a popular WordPress plugin with 90,000 installations

Laptop computer displaying logo of WordPress, a free and open-source content management system (CMS)
(Image credit: Shutterstock/monticello)
  • Security researchers find high-severity flaw in popular WordPress plugin
  • It allowed threat actors to run malicious code remotely
  • A patch was released in late January 2025

Jupiter X Core, a popular WordPress plugin with more than 90,000 users worldwide, is vulnerable to a high-severity flaw that allows threat actors to run arbitrary files on the server, essentially giving them the ability to fully take over target websites, experts have warned.

WordPress security researchers Wordfence revealed it was found to be vulnerable to a “Local File Inclusion to Remote Code Execution” flaw, now tracked as CVE-2025-0366. It has a severity score of 8.8/10 (high) and affects all versions up to, and including 4.8.7.

Jupiter X Core is a companion plugin for the Jupiter X WordPress theme, developed by Artbees. It extends the functionality of the theme by adding advanced features, such as custom page-building elements, theme customizer options, and enhanced design controls. The plugin is primarily used by web designers, developers, and business owners.

SVG uploads as the problem

“This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files,” Wordfence explained. “This can be used to bypass access controls, obtain sensitive data, or achieve code execution.”

Describing how a theoretical attack might look, Wordfence said that an attacker could create a form that allows SVG uploads, upload the file with malicious content, and then include the SVG file in a post, to run the code. The process makes RCE “relatively easy”, it added.

The bug was first spotted in early January 2025, with Artbees coming back with a patch before the end of the month. That being said, if you’re using Jupiter X Core, you should make sure you’re running at least version 4.8.8.

At press time, the WordPress website shows 46.8% of users running the latest version, meaning that more than 47,000 websites are still vulnerable.

Via Infosecurity Magazine

You might also like

TOPICS
Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.

More about security
data recovery

Ghost ransomware has hit firms in over 70 countries, FBI and CISA warn
The best free firewall

Palo Alto warns another major firewall hack has been detected
Volvo ES90 Teaser Images

The incoming Volvo ES90 is going to be a supercomputer-on-wheels, thanks to Nvidia – and that could give it an 'extra pair of eyes' for safety
See more latest