CVE-2025-2105

Name of the Vulnerable Software and Affected Versions Jupiter X Core plugin for WordPress versions up to, and including, 4.8.11

Description The issue allows for PHP Object Injection via deserialization of untrusted input from the file parameter of the raven download file function, making it possible for attackers to inject a PHP Object through a PHAR file. This vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code. The vulnerability can be exploited by unauthenticated attackers if a form with the file download action and the ability to upload files is present on the site.

Recommendations For versions up to, and including, 4.8.11, update to a version that contains a fix for this issue to prevent PHP Object Injection. As a temporary workaround, consider disabling the raven download file function until a patch is available. Restrict access to the file upload feature to minimize the risk of exploitation. Avoid using the file parameter in the affected function until the issue is resolved.