CVE-2025-0366
Published: 01 February 2025
Summary
CVE-2025-0366 is a high-severity PHP Remote File Inclusion (CWE-98) vulnerability in Artbees Jupiter X Core. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 29.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Timely patching of the Jupiter X Core plugin flaw in get_svg() via available changesets like 3231122 directly eliminates the LFI to RCE vulnerability.
Information input validation on SVG files before processing by get_svg() prevents inclusion and execution of arbitrary PHP code embedded in uploads.
Least privilege enforcement restricts SVG upload and post inclusion capabilities to higher roles than Contributor, blocking low-privileged exploitation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct LFI-to-RCE in public-facing WordPress plugin enables T1190 exploitation and T1505.003 web shell deployment via malicious SVG/PHP upload and inclusion.
NVD Description
The Jupiter X Core plugin for WordPress is vulnerable to Local File Inclusion to Remote Code Execution in all versions up to, and including, 4.8.7 via the get_svg() function. This makes it possible for authenticated attackers, with Contributor-level access and…
more
above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution. In this specific case, an attacker can create a form that allows SVG uploads, upload an SVG file with malicious content and then include the SVG file in a post to achieve remote code execution. This means it is relatively easy to gain remote code execution as a contributor-level user and above by default.
Deeper analysisAI
CVE-2025-0366 is a Local File Inclusion vulnerability leading to Remote Code Execution in the Jupiter X Core plugin for WordPress, affecting all versions up to and including 4.8.7. The flaw resides in the get_svg() function, which enables the inclusion and execution of arbitrary files on the server. It carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and is classified under CWE-98.
Authenticated attackers with Contributor-level access or higher can exploit this vulnerability to achieve remote code execution. The attack involves creating a form that permits SVG uploads, uploading an SVG file embedded with malicious PHP code, and then including that SVG file in a post via the vulnerable function. This grants the ability to execute arbitrary PHP code, bypass access controls, and obtain sensitive data.
Patches addressing this issue are available in WordPress plugin trac changesets such as 3231122, which modify relevant files including ajax-handler.php in the raven forms module and video.php in the video widgets module of jupiterx-core. Further details on the vulnerability and exploitation chain are provided in advisories from Wordfence and security researcher Stealthcopter at the referenced URLs.
Details
- CWE(s)