CVE-2025-0365 is a directory traversal vulnerability classified under CWE-22, found in the Jupiter X Core plugin for WordPress, specifically in versions up to and including 4.8.7. The vulnerability arises from improper limitation of pathname inputs in the inline SVG feature, which fails to adequately sanitize or restrict file path parameters. Authenticated attackers with at least Contributor-level privileges can exploit this flaw to traverse directories and read arbitrary files on the web server. This can lead to disclosure of sensitive information such as configuration files, credentials, or other data stored on the server. The attack vector requires network access and authentication but does not require user interaction beyond that. The vulnerability impacts confidentiality but not integrity or availability. The CVSS 3.1 base score is 6.5, reflecting a medium severity with network attack vector, low attack complexity, and privileges required. No known public exploits have been reported yet, but the vulnerability poses a significant risk to websites using this plugin, especially those with multiple contributors or less restrictive access controls. The lack of a patch link suggests that a fix may still be pending or not yet publicly released.

The primary impact of CVE-2025-0365 is unauthorized disclosure of sensitive server files, which can compromise confidentiality. Attackers with Contributor-level access can read arbitrary files, potentially exposing database credentials, API keys, or other sensitive configuration data. This information can facilitate further attacks such as privilege escalation, data exfiltration, or site defacement. Since the vulnerability does not affect integrity or availability directly, the immediate risk is data leakage. However, the exposed information can be leveraged for more damaging exploits. Organizations running WordPress sites with the Jupiter X Core plugin are at risk, especially if they allow multiple contributors or have weak access controls. The medium CVSS score reflects the need for timely remediation to prevent exploitation. The absence of known exploits in the wild reduces immediate risk but does not eliminate it, as attackers may develop exploits once the vulnerability is public. The impact is global, affecting any organization using the vulnerable plugin, with higher risk in regions with widespread WordPress usage.

To mitigate CVE-2025-0365, organizations should first restrict Contributor-level access to trusted users only, minimizing the number of accounts that can exploit the vulnerability. Implement strict role-based access controls and audit user permissions regularly. Monitor server logs for unusual file access patterns, especially requests involving inline SVG features or suspicious path traversal attempts. Disable the inline SVG feature in the Jupiter X Core plugin if possible until a patch is available. Keep WordPress core and all plugins updated, and apply security patches promptly once the vendor releases a fix for this vulnerability. Employ web application firewalls (WAFs) with rules designed to detect and block directory traversal attempts. Additionally, consider isolating the web server environment and restricting file system permissions to limit the files accessible to the web server process. Conduct regular security assessments and penetration tests focusing on plugin vulnerabilities to detect similar issues proactively.