CVE-2025-0366
Published: 01 February 2025
Summary
CVE-2025-0366 is a high-severity PHP Remote File Inclusion (CWE-98) vulnerability in Artbees Jupiter X Core. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 28.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
The Jupiter X Core plugin for WordPress is vulnerable to local file inclusion that leads to remote code execution in all versions through 4.8.7. The flaw resides in the get_svg() function and is tracked as CWE-98. It carries a CVSS 3.1 score of 8.8.
Authenticated users with Contributor privileges or higher can exploit the issue by creating a form that accepts SVG uploads, uploading a file containing malicious PHP, and then referencing that file inside a post. Successful exploitation grants the ability to include and execute arbitrary server-side files, bypassing access controls and obtaining code execution.
Public references include WordPress plugin-trac changesets that address the vulnerable code paths in ajax-handler.php and video.php, together with analysis published by Stealthcopter and a detailed entry from Wordfence.
The associated EPSS score rose from a low baseline to a recorded peak of 0.0121, indicating that exploitation interest increased after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-1629
Vulnerability details
The Jupiter X Core plugin for WordPress is vulnerable to Local File Inclusion to Remote Code Execution in all versions up to, and including, 4.8.7 via the get_svg() function. This makes it possible for authenticated attackers, with Contributor-level access and…
more
above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution. In this specific case, an attacker can create a form that allows SVG uploads, upload an SVG file with malicious content and then include the SVG file in a post to achieve remote code execution. This means it is relatively easy to gain remote code execution as a contributor-level user and above by default.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct LFI-to-RCE in public-facing WordPress plugin enables T1190 exploitation and T1505.003 web shell deployment via malicious SVG/PHP upload and inclusion.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Timely patching of the Jupiter X Core plugin flaw in get_svg() via available changesets like 3231122 directly eliminates the LFI to RCE vulnerability.
Information input validation on SVG files before processing by get_svg() prevents inclusion and execution of arbitrary PHP code embedded in uploads.
Least privilege enforcement restricts SVG upload and post inclusion capabilities to higher roles than Contributor, blocking low-privileged exploitation.