71/68 Friday, February 21, 2025
Security researchers from Wordfence have disclosed a critical vulnerability (CVE-2025-0366) in the Jupiter X Core plugin, which is used on over 90,000 websites. The vulnerability was discovered on January 6, 2025, and has been assigned a severity score of 8.8 out of 10 based on the CVSS standard. This flaw could allow attackers with at least Contributor-level privileges to upload malicious SVG files and execute remote code on vulnerable servers. The issue stems from insecure SVG file uploads and the use of the plugin’s get_svg() function, which enables attackers to bypass security measures.
Wordfence explained that this vulnerability could allow hackers to embed PHP code within specially crafted SVG files. When exploited in combination with the get_svg() function flaw, the code can be executed directly on the server. The impact of this vulnerability is severe, as it may enable attackers to bypass access controls, steal sensitive data, or even take control of the target server. However, Wordfence noted that the likelihood of widespread exploitation is relatively low, as the attack requires at least Contributor-level permissions, limiting the pool of potential attackers.
The plugin’s developer, Artbees, released a patch on January 29, 2025, urging users to immediately update to version 4.8.8 to protect against potential attacks. Security experts also recommend enabling automatic updates for plugins and themes, regularly auditing installed plugins, and removing any unused or outdated plugins to minimize future security risks.
Source https://www.infosecurity-magazine.com/news/wordpress-plugin-flaw-exposes/
