Cyber Resilience

CVE-2025-2105

HighRCE

Published: 26 April 2025

Published
26 April 2025
Modified
06 May 2025
KEV Added
Patch
CVSS Score v3.1 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0092 76.4th percentile
Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-2105 is a high-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Artbees Jupiter X Core. Its CVSS base score is 8.1 (High).

Operationally, ranked in the top 23.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

The Jupiter X Core plugin for WordPress is vulnerable to PHP Object Injection in all versions through 4.8.11. The flaw exists in the raven_download_file function, which performs deserialization on untrusted input supplied via the file parameter and accepts a PHAR file. No POP chain is present in the plugin itself, so the issue produces no direct impact unless another plugin or theme on the same site supplies a usable chain. The vulnerability is tracked as CWE-502 and carries a CVSS 3.1 score of 8.1.

Unauthenticated attackers can exploit the flaw when a form containing the file-download action is present on the site and file-upload capability is also enabled; otherwise, Contributor-level users and higher can create the required form. Successful exploitation with a suitable POP chain can result in arbitrary file deletion, sensitive-data disclosure, or remote code execution.

A patch addressing the deserialization issue appears in changeset 3279676 on the WordPress plugin repository. Site operators are advised to update Jupiter X Core to the newest release; the Wordfence advisory further recommends reviewing installed plugins and themes for any that may introduce POP chains.

EPSS for the CVE rose from a low baseline to a peak of 0.0257 on 2026-02-20 before receding, indicating that exploitation interest increased after public disclosure.

EU & UK References

Vulnerability details

The Jupiter X Core plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 4.8.11 via deserialization of untrusted input from the 'file' parameter of the 'raven_download_file' function. This makes it possible for attackers…

more

to inject a PHP Object through a PHAR file. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present. This vulnerability may be exploited by unauthenticated attackers when a form is present on the site with the file download action, and the ability to upload files is also present. Otherwise, this would be considered exploitable by Contributor-level users and above, because they could create the form needed to successfully exploit this.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

artbees
jupiter x core
≤ 4.8.12

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-502

Penetration testing supplies malicious serialized objects, detecting unsafe deserialization and supporting corrective actions.

addresses: CWE-502

Evaluation of untrusted data handling (deserialization testing) reveals unsafe processing, which the required remediation process addresses.

addresses: CWE-502

Untrusted serialized data can be deserialized and observed inside the chamber, blocking gadget-chain exploitation outside the sandbox.

addresses: CWE-502

Validates or rejects untrusted serialized data before deserialization occurs.

addresses: CWE-502

Identifies and blocks malicious code introduced through deserialization of untrusted data at system boundaries.

addresses: CWE-502

Integrity verification of serialized information can detect tampering before deserialization occurs.

addresses: CWE-502

Provenance of associated data allows detection of untrusted sources before deserialization or processing occurs.

References