Description
The Jupiter X Core plugin for WordPress is vulnerable to Local File Inclusion to Remote Code Execution in all versions up to, and including, 4.8.7 via the get_svg() function. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution. In this specific case, an attacker can create a form that allows SVG uploads, upload an SVG file with malicious content and then include the SVG file in a post to achieve remote code execution. This means it is relatively easy to gain remote code execution as a contributor-level user and above by default.
Published: 2025-02-01
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Patch Immediately
AI Analysis

Impact

The Jupiter X Core WordPress plugin contains a Local File Inclusion vulnerability in the get_svg() function that allows authenticated users with Contributor level or higher to include and execute arbitrary files on the server. When an attacker uploads a malicious SVG file and then references it in a post, the included file’s PHP code is executed, enabling full remote code execution. This flaw can be abused to bypass existing access controls, exfiltrate sensitive data, or gain administrative control over the site.

Affected Systems

All releases of the Jupiter X Core plugin released by Artbees up to and including version 4.8.7 are affected. No other plugins or products are listed as impacted.

Risk and Exploitability

The CVSS score for this issue is 8.8, indicating high severity, while the EPSS score of 1% reflects a low but non-zero probability of exploitation. The vulnerability is not catalogued in the CISA KEV database. The attack vector requires a user with Contributor-level permissions; an attacker can submit an SVG upload containing malicious code, then include the file through a form, achieving remote code execution. Because the flaw relies on a common web development weakness—Local File Inclusion—an attacker only needs to authenticate to a WordPress site using a Contributor role, which is a relatively permissive access level.

Generated by OpenCVE AI on April 28, 2026 at 03:43 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Jupiter X Core to the latest version (4.8.8 or newer) where the get_svg() LFI flaw is fixed.
  • Restrict SVG file uploads for Contributor and lower roles, or disable the SVG upload feature entirely to eliminate the attack surface.
  • Implement stricter input validation on the get_svg() endpoint, ensuring only whitelisted file paths are processed, and consider tightening file system permissions to prevent arbitrary file inclusion.

Generated by OpenCVE AI on April 28, 2026 at 03:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-1629 The Jupiter X Core plugin for WordPress is vulnerable to Local File Inclusion to Remote Code Execution in all versions up to, and including, 4.8.7 via the get_svg() function. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution. In this specific case, an attacker can create a form that allows SVG uploads, upload an SVG file with malicious content and then include the SVG file in a post to achieve remote code execution. This means it is relatively easy to gain remote code execution as a contributor-level user and above by default.
History

Wed, 08 Apr 2026 17:00:00 +0000

Type Values Removed Values Added
References

Sat, 12 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.01366}

 epss

{'score': 0.01119}

Mon, 24 Feb 2025 16:15:00 +0000

Type Values Removed Values Added
First Time appeared Artbees
Artbees jupiter X Core
Weaknesses NVD-CWE-Other
CPEs cpe:2.3:a:artbees:jupiter_x_core:*:*:*:*:*:wordpress:*:*
Vendors & Products Artbees
Artbees jupiter X Core

Mon, 03 Feb 2025 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Sat, 01 Feb 2025 05:45:00 +0000

Type Values Removed Values Added
Description The Jupiter X Core plugin for WordPress is vulnerable to Local File Inclusion to Remote Code Execution in all versions up to, and including, 4.8.7 via the get_svg() function. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution. In this specific case, an attacker can create a form that allows SVG uploads, upload an SVG file with malicious content and then include the SVG file in a post to achieve remote code execution. This means it is relatively easy to gain remote code execution as a contributor-level user and above by default.
Title Jupiter X Core <= 4.8.7 - Authenticated (Contributor+) SVG Upload to Local File Inclusion (Remote Code Execution)
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Artbees Jupiter X Core
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:38:01.625Z

Reserved: 2025-01-09T17:09:57.454Z

Link: CVE-2025-0366

cve-icon Vulnrichment

Updated: 2025-02-03T16:22:39.882Z

cve-icon NVD

Status : Modified

Published: 2025-02-01T06:15:31.367

Modified: 2026-04-08T17:19:52.930

Link: CVE-2025-0366

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T03:45:20Z

Weaknesses