CVE-2025-0366

Name of the Vulnerable Software and Affected Versions Jupiter X Core plugin for WordPress versions up to, and including, 4.8.7

Description The issue allows authenticated attackers, with Contributor-level access and above, to include and execute arbitrary files on the server, enabling the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution. An attacker can create a form that allows SVG uploads, upload an SVG file with malicious content, and then include the SVG file in a post to achieve remote code execution. Approximately 90,000 sites are at risk due to this vulnerability. The get svg() function is specifically vulnerable to Local File Inclusion to Remote Code Execution.

Recommendations For Jupiter X Core plugin for WordPress versions up to, and including, 4.8.7, update to a version that contains a fix for this issue to prevent remote code execution. As a temporary workaround, consider disabling the get svg() function until a patch is available. Restrict access to the plugin's SVG upload feature to minimize the risk of exploitation. Avoid using the plugin's SVG upload feature until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.