📢 Did you know Wordfence runs a Bug Bounty Program for all WordPress plugins and themes at no cost to vendors? Researchers can earn up to $31,200 per vulnerability, for all in-scope vulnerabilities submitted to our Bug Bounty Program! Find a vulnerability, submit the details directly to us, and we handle all the rest.
On January 6th, 2025, we received a submission for an SVG Upload to Local File Inclusion vulnerability in Jupiter X Core, a WordPress plugin with more than 90,000 active installations. This vulnerability makes it possible for an authenticated attacker, with contributor privileges or higher, to upload SVG files to a vulnerable site with malicious content and then include it, and achieve remote code execution.
Props to stealthcopter who discovered and responsibly reported this vulnerability through the Wordfence Bug Bounty Program. This researcher earned a bounty of $782.00 for this discovery. Our mission is to Secure the Web, which is why we are investing in quality vulnerability research and collaborating with researchers of this caliber through our Bug Bounty Program. We are committed to making the WordPress ecosystem more secure, which ultimately makes the entire web more secure.
Wordfence Premium, Wordfence Care, and Wordfence Response users received a firewall rule to protect against any exploits targeting this vulnerability on January 13, 2025. Sites using the free version of Wordfence received the same protection 30 days later on February 12, 2025.
We provided full disclosure details to the Artbees team on January 9, 2025. The developer released a patch on January 29, 2025. We would like to commend the Artbees team for their prompt response and timely patch.
We urge users to update their sites with the latest patched version of Jupiter X Core, which is version 4.8.8, as soon as possible.
Vulnerability Summary from Wordfence Intelligence
Affected Plugin: Jupiter X Core
Plugin Slug: jupiterx-core
Affected Versions: <= 4.8.7
CVE ID: CVE-2025-0366
CVSS Score: 8.8 (High)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Researcher/s: stealthcopter
Fully Patched Version: 4.8.8
Bounty Award: $782.00
The Jupiter X Core plugin for WordPress is vulnerable to Local File Inclusion to Remote Code Execution in all versions up to, and including, 4.8.7 via the get_svg() function. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution. In this specific case, an attacker can create a form that allows SVG uploads, upload an SVG file with malicious content and then include the SVG file in a post to achieve remote code execution. This means it is relatively easy to gain remote code execution as a contributor-level user and above by default.
Technical Analysis
Jupiter X Core is a WordPress plugin that provides the core functionality for the Jupiter X premium theme.
Examining the code reveals that the plugin uses the upload_files() function in the Ajax_Handler class to upload certain types of files to the forms, including .svg files.
The filename is randomized using the uniqid() function, however, this function uses the server’s microtime to determine the random value, so if the exact time of upload is known, the generated value can be determined.
$filename = uniqid() . '.' . $file_extension;
$move_new_file = @move_uploaded_file( $file['tmp_name'], $new_file );
The Advanced Video Elementor widget, in the render() function of the Video class, uses the get_svg() method to include .svg files.
<?php include Utils::get_svg( 'frame-' . $settings['device_frame'] ); ?>
public static function get_svg( $file_name = '' ) {
if ( empty( $file_name ) ) {
return $file_name;
}
return Plugin::$plugin_path . 'assets/img/' . $file_name . '.svg';
}
This improper sanitization of the $file_name parameter allows the attacker to include arbitrary local .svg files.
The previous file upload feature does not include content validation or sanitization, allowing .svg files with any content to be uploaded, including those containing <?php tags.
Chaining the two vulnerabilities together means that the threat actor can upload an .svg file with malicious content and then include it to achieve remote code execution on the server. While we do not expect this vulnerability to be widely exploited due to the minimum user-level requirement, vulnerabilities allowing for the upload of .svg files are usually limited to Cross-Site Scripting payloads and don’t typically allow remote code execution via file upload, which makes this vulnerability particularly interesting. We’d like to provide kudos to the researcher stealthcopter for thinking outside of the box and chaining what may be considered two lower impact issues to achieve remote code execution.
Disclosure Timeline
January 6, 2025 – We received the submission for the SVG Upload to Local File Inclusion vulnerability in Jupiter X Core via the Wordfence Bug Bounty Program.
January 9, 2025 – We validated the report and confirmed the proof-of-concept exploit.
January 9, 2025 – We sent over the full disclosure details to the vendor. The vendor acknowledged the report and began working on a fix.
January 13, 2025 – Wordfence Premium, Care, and Response users received a firewall rule to provide protection against any exploits that may target this vulnerability.
January 29, 2025 – The fully patched version of the plugin, 4.8.8, was released.
February 12, 2025 – Wordfence Free users received the same protection.
Conclusion
In this blog post, we detailed an SVG Upload to Local File Inclusion vulnerability within the Jupiter X Core plugin affecting versions 4.8.7 and earlier. This vulnerability allows authenticated threat actors with contributor-level permissions or higher to execute malicious code on the server. The vulnerability has been addressed in version 4.8.8 of the plugin.
We encourage WordPress users to verify that their sites are updated to the latest patched version of Jupiter X Core.
Wordfence Premium, Wordfence Care, and Wordfence Response users received a firewall rule to protect against any exploits targeting this vulnerability on January 13, 2025. Sites using the free version of Wordfence received the same protection 30 days later on February 12, 2025.
If you know someone who uses this plugin on their site, we recommend sharing this advisory with them to ensure their site remains secure, as this vulnerability poses a significant risk.
The post Creative SVG File Upload to Local File Inclusion Vulnerability Affecting 90,000 Sites Patched in Jupiter X Core WordPress Plugin appeared first on Wordfence.
