Full Report
A flaw in the Jupiter X Core plugin has been identified, allowing upload of malicious SVG files and remote code execution on vulnerable servers
Analysis Summary
# Vulnerability: Jupiter X Core Plugin Arbitrary File Upload Leading to RCE
## CVE Details
- CVE ID: CVE-2025-0366
- CVSS Score: 8.8 (High)
- CWE: Missing or Inadequate Server-Side Input Validation (Inferred - related to improper file upload/sanitization)
## Affected Systems
- Products: Jupiter X Core WordPress Plugin (developed by Artbees)
- Versions: Prior to 4.8.8
- Configurations: Applicable to WordPress installations using the affected plugin version. Requires an authenticated attacker with Contributor-level privileges or higher.
## Vulnerability Description
The vulnerability stems from improper sanitization of SVG file uploads combined with the plugin's use of the `get_svg()` function. This flaw allows an attacker who is authenticated as a Contributor (or higher role) to upload a specially crafted SVG file containing embedded PHP code. The subsequent execution path via `get_svg()` allows the attacker to include and execute arbitrary PHP code on the server, leading to Remote Code Execution (RCE).
## Exploitation
- Status: Not explicitly stated as exploited in the wild, but the potential for RCE makes it a high-risk target. PoC development is implied by the researcher's detailed report.
- Complexity: Requires authenticated access (Contributor level or above).
- Attack Vector: Network (via file upload mechanism).
## Impact
- Confidentiality: High (Arbitrary code execution can lead to data exfiltration).
- Integrity: High (Ability to modify or execute arbitrary system files).
- Availability: High (Potential for server shutdown or disruption).
## Remediation
### Patches
- Vendor: Artbees
- Patch Version: Update Jupiter X Core to version **4.8.8** or later.
### Workarounds
- Disable file uploads for users with Contributor privileges or lower, if possible, within the scope of the plugin's functionality.
- Regularly audit installed plugins and remove any unused or outdated installations to reduce the overall attack surface.
- Enable automatic updates for plugins and themes.
## Detection
- **Indicators of Compromise:** Look for unexpected execution of PHP code during file processing or unexpected web shell artifacts, particularly originating from SVG file upload handling routines within the Jupiter X Core plugin's codebase or temporary directories.
- **Detection Methods and Tools:** Web Application Firewalls (WAFs) configured to inspect the contents of uploaded files, especially SVG files, for embedded script or PHP tags. File integrity monitoring (FIM) on plugin folders.
## References
- Vendor Advisory (Artbees): The patch was released on January 29, 2025.
- Security Researcher Disclosure: Wordfence (Reported January 6, 2025).
- Infosecurity Magazine: hxxps://www.infosecurity-magazine.com/news/wordpress-plugin-flaw-exposes/ (Article date: Feb 19, 2025)