A critical vulnerability exists in the Jupiter X Core plugin for WordPress, which is used by more than 90,000 websites. The flaw allows an attacker with contributor privileges or higher to upload malicious SVG files and execute remote code on the server. This vulnerability has been rated CVSS 8.8 (high risk).
The issue is caused by a malicious validation of SVG files in the get_svg() function, which allows attackers to bypass security systems. The uploaded malicious file contains PHP code that allows access to server resources through this function. This allows authorized users to gain privileges and execute arbitrary code on the server, obtain sensitive data, or bypass access restrictions.
The vulnerability was discovered by researchers at stealthcopter on January 6, 2025 and reported via the Wordfence Bug Bounty Programme, for which they received a reward of $782. The plugin developer, Artbees, released update 4.8.8 on January 29, 2025, which fixes this issue.
Summary Jupiter X Core users are urgently advised to update their plugins to version 4.8.8, as well as enable auto-updates for plugins and themes, regularly scan installed extensions, and remove outdated or unnecessary modules to reduce the risk of attacks.
141 
109 
96 