Summary: A critical vulnerability in the Jupiter X Core WordPress plugin affects over 90,000 websites, allowing attackers with certain privileges to upload malicious SVG files and execute remote code. The flaw (CVE-2025-0366), discovered on January 6, 2025, is attributed to improper file sanitization and has a high severity CVSS score of 8.8. Users are strongly advised to update to the patched version 4.8.8 immediately to mitigate the risk.
Affected: Jupiter X Core WordPress plugin
Keypoints :
- Vulnerability allows authenticated users with Contributor-level access to upload and execute arbitrary PHP code through specially crafted SVG files.
- Reported by security researcher stealthcopter, resulting in a 2 bounty through Wordfence Bug Bounty Program.
- Patch released on January 29, 2025; users are encouraged to enable automatic updates and regularly audit plugins to reduce risk.
Source: https://www.infosecurity-magazine.com/news/wordpress-plugin-flaw-exposes/
Views: 11