CVE-2025-0366 in Jupiter X Core Plugin
Summary
by MITRE • 02/01/2025
The Jupiter X Core plugin for WordPress is vulnerable to Local File Inclusion to Remote Code Execution in all versions up to, and including, 4.8.7 via the get_svg() function. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution. In this specific case, an attacker can create a form that allows SVG uploads, upload an SVG file with malicious content and then include the SVG file in a post to achieve remote code execution. This means it is relatively easy to gain remote code execution as a contributor-level user and above by default.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 02/25/2025
The vulnerability identified as CVE-2025-0366 affects the Jupiter X Core plugin for WordPress, representing a critical security flaw that enables authenticated attackers with Contributor-level privileges or higher to achieve remote code execution through a local file inclusion vector. This vulnerability exists within the get_svg() function of the plugin, which processes SVG file uploads and includes them in the application's rendering pipeline. The flaw stems from insufficient input validation and sanitization when handling file paths, allowing malicious actors to manipulate the inclusion process to execute arbitrary PHP code on the target server. The vulnerability is particularly concerning because it operates at a privilege level that is commonly granted to users within WordPress environments, making it accessible to a wide range of potential attackers.
The technical exploitation of this vulnerability follows a specific attack pattern that leverages the plugin's SVG handling capabilities. Attackers can create a malicious SVG file containing embedded PHP code that, when processed by the get_svg() function, gets executed on the server. This process bypasses normal WordPress access controls and file validation mechanisms, as the vulnerability occurs during the SVG processing phase rather than during initial file upload validation. The vulnerability manifests when an attacker uploads a specially crafted SVG file that includes PHP code within its structure, then references this file through the plugin's functionality to achieve code execution. This represents a classic local file inclusion vulnerability that has been transformed into a remote code execution vector through the improper handling of user-supplied SVG content.
The operational impact of CVE-2025-0366 extends beyond simple code execution, as it provides attackers with the ability to bypass access controls and obtain sensitive data from the compromised WordPress installation. Once an attacker gains remote code execution capability, they can manipulate the entire WordPress environment, potentially escalating privileges to administrator level, exfiltrate database contents, modify website content, or deploy additional malicious payloads. The vulnerability's ease of exploitation means that even relatively inexperienced attackers can leverage it to compromise WordPress sites, making it particularly dangerous for environments where contributor-level users have access to the administration interface. The attack chain is relatively straightforward, requiring only basic knowledge of SVG file manipulation and WordPress plugin vulnerabilities, which increases the likelihood of successful exploitation across various target environments.
Security mitigations for CVE-2025-0366 should focus on immediate remediation through plugin updates to versions that address the vulnerability, as well as implementing additional defensive measures. Organizations should ensure that all instances of the Jupiter X Core plugin are updated to the latest secure version that properly validates and sanitizes SVG file inputs. Network-based protections can include implementing web application firewalls that monitor for suspicious SVG file patterns and file inclusion attempts. Access control measures should be reviewed to limit the privileges of users with contributor-level access, particularly in environments where such users have unnecessary administrative capabilities. The vulnerability aligns with CWE-22, which describes improper limitation of a pathname to a restricted directory, and represents a specific instance of the broader ATT&CK technique T1505.003 for server-side include attacks. Organizations should also consider implementing file integrity monitoring solutions to detect unauthorized modifications to the plugin files and establish incident response procedures to address potential exploitation attempts.