By Nermeen Nabil Khear - Security researchers find high-severity flaw in popular WordPress plugin
- It allowed threat actors to run malicious code remotely
- A patch was released in late January 2025
Jupiter X Core, a popular WordPress plugin with more than 90,000 users worldwide, is vulnerable to a high-severity flaw that allows threat actors to run arbitrary files on the server, essentially giving them the ability to fully take over target websites, experts have warned.
WordPress security researchers Wordfence revealed it was found to be vulnerable to a “Local File Inclusion to Remote Code Execution” flaw, now tracked as CVE-2025-0366. It has a severity score of 8.8/10 (high) and affects all versions up to, and including 4.8.7.
Jupiter X Core is a companion plugin for the Jupiter X WordPress theme, developed by Artbees. It extends the functionality of the theme by adding advanced features, such as custom page-building elements, theme customizer options, and enhanced design controls. The plugin is primarily used by web designers, developers, and business owners.
SVG uploads as the problem
“This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files,” Wordfence explained. “This can be used to bypass access controls, obtain sensitive data, or achieve code execution.”
Describing how a theoretical attack might look, Wordfence said that an attacker could create a form that allows SVG uploads, upload the file with malicious content, and then include the SVG file in a post, to run the code. The process makes RCE “relatively easy”, it added.
The bug was first spotted in early January 2025, with Artbees coming back with a patch before the end of the month. That being said, if you’re using Jupiter X Core, you should make sure you’re running at least version 4.8.8.
At press time, the WordPress website shows 46.8% of users running the latest version, meaning that more than 47,000 websites are still vulnerable.
You might also like
- This top WordPress plugin had a security flaw that could let hackers hijack your site
- We’ve rounded up the best password managers
- Take a look at our guide to the best authenticator app
This articles is written by : Nermeen Nabil Khear Abdelmalak
All rights reserved to : USAGOLDMIES . www.usagoldmines.com
You can Enjoy surfing our website categories and read more content in many fields you may like .
Why USAGoldMines ?
USAGoldMines is a comprehensive website offering the latest in financial, crypto, and technical news. With specialized sections for each category, it provides readers with up-to-date market insights, investment trends, and technological advancements, making it a valuable resource for investors and enthusiasts in the fast-paced financial world.