Critical WordPress Plugin Vulnerability Puts Over 90,000 Sites at Risk

Critical WordPress Plugin Vulnerability

February 19, 2025

A critical vulnerability in the Jupiter X Core plugin—a tool trusted by over 90,000 WordPress websites—has been uncovered, exposing sites to potential remote code execution attacks. Security experts have flagged this issue, tracked as CVE-2025-0366, with a high CVSS score of 8.8.

What’s the Issue?

The vulnerability originates from the plugin’s handling of SVG file uploads. Due to inadequate sanitization, attackers with at least contributor-level access can upload maliciously crafted SVG files containing PHP code. The exploit leverages a flaw in the plugin’s get_svg() function, allowing unauthorized code execution on the server. According to Wordfence, this means that an attacker could bypass existing security controls to run arbitrary PHP code, potentially leading to data breaches or complete site compromise.

Timeline & Patch Details

  • Discovery:The flaw was first identified on January 6, 2025, by the researcher known as stealthcopter through the Wordfence Bug Bounty Program. For the discovery, a bounty of $782 was awarded.
  • Resolution:In response, the developer Artbees released a patch on January 29, 2025. Website administrators are urged to update to version 8.8 of the Jupiter X Core plugin immediately to secure their sites.

For further details, see the InfoSecurity Magazine report.

Get in touch with us, today

Call, chat with a representative, or fill out the form
202-506-0448
Fill Out Form
Schedule Consult

We Recommend the following for your WP Websites

While the vulnerability requires a minimum of contributor-level access to exploit, cybersecurity experts emphasize that all WordPress sites can benefit from enhanced security practices. Here are some key recommendations:

  • Update Immediately: Ensure that the Jupiter X Core plugin is updated to version 4.8.8.
  • Enable Automatic Updates: Where possible, configure plugins and themes to update automatically, minimizing the window for potential exploits.
  • Regular Security Audits: Periodically review installed plugins and remove any that are outdated or unnecessary.
  • Restrict User Privileges: Limit access rights to reduce the risk of internal abuse that could be exploited by attackers.

These measures align with industry best practices to mitigate the risks associated with vulnerabilities such as this one.

The discovery of this vulnerability is a stark reminder of the importance of maintaining up-to-date software and rigorous security practices on WordPress sites. With over 90,000 sites at risk, prompt action is critical. Keeping your website secure not only protects your data but also preserves your visitors’ trust.

References:

Let's get Started, Sign Up Today!

Sign Up
<span style="font-size:20px;">by</span> Fevi Yu
by Fevi Yu

SEO Consultant since 2008 · Pubcon Speaker

Fevi Yu is a seasoned SEO consultant, digital agency founder, and Pubcon speaker. She is the creator of the Basic Website Package—the only web design and technical SEO-integrated solution proven to rank and generate inquiries within weeks of launch. Her clients’ websites consistently appear on the first page of results—both in traditional search and AI-generated responses. Her writing focuses on strategies that help clients grow and compete online.

Newsletter Sign Up
© 2025 WOWebsites LLC. All Rights Reserved