Critical WordPress Plugin Vulnerability Puts Over 90,000 Sites at Risk

February 19, 2025

A critical vulnerability in the Jupiter X Core plugin—a tool trusted by over 90,000 WordPress websites—has been uncovered, exposing sites to potential remote code execution attacks. Security experts have flagged this issue, tracked as CVE-2025-0366, with a high CVSS score of 8.8.

What’s the Issue?

The vulnerability originates from the plugin’s handling of SVG file uploads. Due to inadequate sanitization, attackers with at least contributor-level access can upload maliciously crafted SVG files containing PHP code. The exploit leverages a flaw in the plugin’s get_svg() function, allowing unauthorized code execution on the server. According to Wordfence, this means that an attacker could bypass existing security controls to run arbitrary PHP code, potentially leading to data breaches or complete site compromise.

Timeline & Patch Details

Discovery:The flaw was first identified on January 6, 2025, by the researcher known as stealthcopter through the Wordfence Bug Bounty Program. For the discovery, a bounty of $782 was awarded.
Resolution:In response, the developer Artbees released a patch on January 29, 2025. Website administrators are urged to update to version 8.8 of the Jupiter X Core plugin immediately to secure their sites.

For further details, see the InfoSecurity Magazine report.

Get in touch with us, today

Call, chat with a representative, or fill out the form

202-506-0448

Fill Out Form

Schedule Consult

We Recommend the following for your WP Websites

While the vulnerability requires a minimum of contributor-level access to exploit, cybersecurity experts emphasize that all WordPress sites can benefit from enhanced security practices. Here are some key recommendations:

Update Immediately: Ensure that the Jupiter X Core plugin is updated to version 4.8.8.
Enable Automatic Updates: Where possible, configure plugins and themes to update automatically, minimizing the window for potential exploits.
Regular Security Audits: Periodically review installed plugins and remove any that are outdated or unnecessary.
Restrict User Privileges: Limit access rights to reduce the risk of internal abuse that could be exploited by attackers.

These measures align with industry best practices to mitigate the risks associated with vulnerabilities such as this one.

The discovery of this vulnerability is a stark reminder of the importance of maintaining up-to-date software and rigorous security practices on WordPress sites. With over 90,000 sites at risk, prompt action is critical. Keeping your website secure not only protects your data but also preserves your visitors’ trust.

References:

Let's get Started, Sign Up Today!

<span style="font-size:20px;">by</span> Fevi Yu

by Fevi Yu

SEO Consultant since 2008

Fevi Yu is a seasoned SEO consultant, digital agency founder, and the visionary behind the Basic Website Package—an innovative web and SEO solution crafted for business owners aiming for immediate results. She’s also the creator of the Unlimited WP Maintenance Package, which provides comprehensive WordPress support to enhance website performance and ensure long-term success. This article was written with the assistance of generative AI for enhanced clarity and precision.