Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2025-0366

CVE-2025-0366: Jupiter X Core Plugin RCE Vulnerability

CVE-2025-0366 is a remote code execution vulnerability in the Jupiter X Core WordPress plugin that allows authenticated attackers to execute arbitrary PHP code. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2025-0366 Overview

CVE-2025-0366 is a Local File Inclusion (LFI) vulnerability in the Jupiter X Core plugin for WordPress that escalates to Remote Code Execution (RCE). The flaw resides in the get_svg() function and affects all versions up to and including 4.8.7. Authenticated attackers with Contributor-level access or higher can chain an SVG upload with file inclusion to execute arbitrary PHP code on the server. The attack involves creating a form that permits SVG uploads, uploading a malicious SVG containing PHP, and then referencing that file in a post. The vendor Artbees has released a patched version through the WordPress plugin repository.

Critical Impact

Authenticated contributors can achieve remote code execution on the underlying WordPress host, leading to full site compromise and potential lateral movement.

Affected Products

  • Artbees Jupiter X Core plugin for WordPress
  • All versions up to and including 4.8.7
  • WordPress sites permitting Contributor-level registration with Jupiter X Core installed

Discovery Timeline

  • 2025-02-01 - CVE-2025-0366 published to NVD
  • 2026-04-08 - Last updated in NVD database

Technical Details for CVE-2025-0366

Vulnerability Analysis

The vulnerability is classified under [CWE-98] (Improper Control of Filename for Include/Require Statement in PHP Program). The get_svg() function in the Jupiter X Core plugin accepts a file path parameter without adequately validating the file type or origin before passing it to a PHP include operation. When the included file contains PHP code, the interpreter executes it in the context of the WordPress process.

Attackers exploit this through a two-stage chain. First, they create a Raven form widget configured to accept SVG file uploads. Because SVG is an XML-based format, the file can embed <?php ... ?> blocks alongside valid SVG markup. After uploading the crafted SVG, the attacker references its path inside a post that renders the file through get_svg(), triggering PHP execution.

Root Cause

The root cause is missing validation of user-controlled file paths and content types within the get_svg() handler in ajax-handler.php and the video widget at video.php. The function trusts contributor-supplied input and includes the referenced file without restricting it to a safelist of trusted directories or sanitizing the extension.

Attack Vector

The attack vector is network-based and requires authentication at the Contributor role or above. On WordPress installations where open registration grants Contributor privileges by default, the barrier to exploitation is minimal. The attacker submits a form configured to accept SVG uploads, posts a malicious SVG file containing embedded PHP, then issues a request that causes the plugin to include the SVG file as PHP. Successful exploitation yields code execution under the web server account, enabling webshell deployment, credential theft from wp-config.php, and pivoting to other tenants on shared hosting.

For a detailed exploitation walkthrough, see the Stealthcopter RCE Analysis and the Wordfence Vulnerability Report.

Detection Methods for CVE-2025-0366

Indicators of Compromise

  • SVG files in the WordPress uploads directory containing <?php tags or <script type="application/x-php"> elements
  • Unexpected PHP files in wp-content/uploads/ with recent modification timestamps
  • POST requests to admin-ajax.php invoking Raven form actions with SVG attachments from low-privilege accounts
  • Outbound network connections from the PHP-FPM or Apache worker process to attacker-controlled infrastructure

Detection Strategies

  • Inspect uploaded SVG content for embedded PHP tags, foreign script blocks, or base64-encoded payloads prior to storage
  • Monitor WordPress audit logs for posts created by Contributor accounts that reference files under wp-content/uploads/
  • Alert on get_svg() invocations where the resolved path falls outside expected theme or media directories
  • Correlate new Contributor account registration with subsequent form creation and media upload events

Monitoring Recommendations

  • Enable WordPress activity logging that captures user role changes, post creation, and media uploads
  • Forward web server logs and PHP error logs to a centralized analytics platform for anomaly identification
  • Track child process creation from php-fpm or apache2 processes, particularly spawns of sh, bash, or network utilities
  • Review file integrity monitoring alerts for new PHP files within plugin and uploads directories

How to Mitigate CVE-2025-0366

Immediate Actions Required

  • Update Jupiter X Core to the patched version released by Artbees in changeset 3231122 on the WordPress plugin repository
  • Audit existing Contributor and Author accounts for legitimacy and disable open registration if not required
  • Scan wp-content/uploads/ for SVG files containing PHP tags and quarantine any matches
  • Rotate WordPress secret keys, database credentials, and admin passwords if compromise is suspected

Patch Information

Artbees published the fix in WordPress plugin changeset 3231122, modifying includes/extensions/raven/includes/modules/forms/classes/ajax-handler.php and includes/extensions/raven/includes/modules/video/widgets/video.php. Refer to the WordPress Plugin Change Log for ajax-handler.php and the WordPress Plugin Change Log for video.php for the exact code changes.

Workarounds

  • Restrict the Contributor role from creating forms or uploading media until the patch is applied
  • Disable SVG uploads at the web server or WordPress level using MIME type filters
  • Deploy a web application firewall rule blocking requests to admin-ajax.php with Raven form actions originating from non-administrator accounts
  • Configure PHP to disallow execution within the wp-content/uploads/ directory via .htaccess or equivalent web server configuration
bash
# Apache configuration example to block PHP execution in uploads
<Directory /var/www/html/wp-content/uploads>
    <FilesMatch "\.(php|phtml|phar|svg)$">
        Require all denied
    </FilesMatch>
    php_admin_flag engine off
</Directory>

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne