Description
The Jupiter X Core plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 4.8.11 via deserialization of untrusted input from the 'file' parameter of the 'raven_download_file' function. This makes it possible for attackers to inject a PHP Object through a PHAR file. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present. This vulnerability may be exploited by unauthenticated attackers when a form is present on the site with the file download action, and the ability to upload files is also present. Otherwise, this would be considered exploitable by Contributor-level users and above, because they could create the form needed to successfully exploit this.
Published: 2025-04-26
Score: 8.1 High
EPSS: 2.6% Low
KEV: No
Impact: Potential Remote Code Execution via PHP Object Injection
Action: Patch Immediately
AI Analysis

Impact

The Jupiter X Core plugin for WordPress allows PHP Object Injection through the deserialization of input supplied to the 'file' parameter of the 'raven_download_file' function. Attackers can embed a malicious PHAR file that contains arbitrary PHP objects, enabling them to execute code indirectly. However, the plugin itself contains no known Proof‑of‑Concept (POP) chain, so the vulnerability is ineffective unless another plugin or theme on the site already provides a POP chain that the attacker can leverage, which could lead to file deletion, data exposure, or code execution.

Affected Systems

All installations of the Jupiter X Core plugin by ArtBees that are running version 4.8.11 or earlier. The issue does not affect later releases that have corrected the deserialization logic.

Risk and Exploitability

The CVSS score of 8.1 indicates a high severity vulnerability, while the EPSS score of 3% reflects a moderately low likelihood of exploitation at this time. The vulnerability is not listed in CISA’s KEV catalog. Exploitation requires the presence of a downloadable form that accepts file uploads; unauthenticated users can trigger the attack if such a form exists, while contributors or higher role users can create the form themselves. Because the plugin lacks an inherent POP chain, the risk is significantly mitigated unless the site also uses a plugin or theme that provides such a chain, which would then allow for destructive or destructive impacts.

Generated by OpenCVE AI on April 21, 2026 at 21:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Jupiter X Core plugin to the latest version that addresses the deserialization flaw.
  • Restrict or disable file uploads for the 'file' parameter to eliminate the vulnerable deserialization entry point.
  • Remove or disable any plugins or themes that provide POP chains to prevent the attacker from leveraging them for code execution.

Generated by OpenCVE AI on April 21, 2026 at 21:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-12494 The Jupiter X Core plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 4.8.11 via deserialization of untrusted input from the 'file' parameter of the 'raven_download_file' function. This makes it possible for attackers to inject a PHP Object through a PHAR file. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present. This vulnerability may be exploited by unauthenticated attackers when a form is present on the site with the file download action, and the ability to upload files is also present. Otherwise, this would be considered exploitable by Contributor-level users and above, because they could create the form needed to successfully exploit this.
History

Tue, 06 May 2025 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Artbees
Artbees jupiter X Core
CPEs cpe:2.3:a:artbees:jupiter_x_core:*:*:*:*:*:wordpress:*:*
Vendors & Products Artbees
Artbees jupiter X Core

Mon, 28 Apr 2025 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Sat, 26 Apr 2025 05:45:00 +0000

Type Values Removed Values Added
Description The Jupiter X Core plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 4.8.11 via deserialization of untrusted input from the 'file' parameter of the 'raven_download_file' function. This makes it possible for attackers to inject a PHP Object through a PHAR file. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present. This vulnerability may be exploited by unauthenticated attackers when a form is present on the site with the file download action, and the ability to upload files is also present. Otherwise, this would be considered exploitable by Contributor-level users and above, because they could create the form needed to successfully exploit this.
Title Jupiter X Core <= 4.8.11 - Unauthenticated PHP Object Injection via PHAR
Weaknesses CWE-502
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Artbees Jupiter X Core
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:45:40.367Z

Reserved: 2025-03-07T19:42:10.279Z

Link: CVE-2025-2105

cve-icon Vulnrichment

Updated: 2025-04-28T14:47:11.812Z

cve-icon NVD

Status : Analyzed

Published: 2025-04-26T06:15:15.877

Modified: 2025-05-06T16:25:44.413

Link: CVE-2025-2105

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T21:15:45Z

Weaknesses