- Security researchers find a high severity failure in the popular WordPress complement
- Allowed threat actors to execute malicious code remotely
- A patch was launched at the end of January 2025
Jupiter X Core, a popular wordpress complement with more than 90,000 users worldwide, is vulnerable to a high severity defect that allows threat actors to execute arbitrary files on the server, which essentially gives them the ability to become Position of destination websites, experts have warned.
WordPress security researchers, Wordfence revealed that it was found that it was vulnerable to a “inclusion of local files in the execution of remote code”, now tracked as CVE-2025-0366. It has a gravity score of 8.8/10 (high) and affects all versions up to 4.8.7.
Jupiter X Core is a complementary complement to the theme Jupiter X WordPress, developed by Artbees. Extend the functionality of the topic by adding advanced features, as personalized pages construction elements, Improved design personalizing options and design controls. The complement is mainly used by web designers, developers and business owners.
SVG is loaded as the problem
“This makes it possible for authenticated attackers to access at the taxpayer and higher level, include and execute arbitrary files on the server, allowing the execution of any PHP code in those files,” Wordfence explained. “This can be used to avoid access controls, obtain confidential data or achieve the execution of the code.”
When describing how a theoretical attack could be seen, Wordfence said an attacker could create a form that allows SVG loads, loading the file with malicious content and including the SVG file in a publication, to execute the code. The process makes RCE “relatively easy,” he added.
The error was first seen in early January 2025, with Artbees returning with a patch before the end of the month. That said, if you are using Jupiter X Core, you should ensure that you are executing at least version 4.8.8.
In the press hour, the WordPress website shows 46.8% of users who run the latest version, which means that more than 47,000 websites remain vulnerable.
Through Infosecurity magazine
