CVE-2025-0366 is a vulnerability classified under CWE-98 (Improper Control of Filename for Include/Require Statement) affecting the Jupiter X Core plugin for WordPress, versions up to and including 4.8.7. The vulnerability resides in the get_svg() function, which improperly handles file inclusion, allowing authenticated users with Contributor-level permissions or higher to perform Local File Inclusion (LFI) that escalates to Remote Code Execution (RCE). Attackers can exploit this by uploading a crafted SVG file containing malicious PHP code via a form that accepts SVG uploads. Once uploaded, the attacker includes this SVG file in a WordPress post, triggering execution of the embedded PHP code on the server. This attack vector bypasses typical access controls and does not require user interaction beyond authentication. The vulnerability impacts confidentiality, integrity, and availability by enabling arbitrary code execution, potentially leading to full site compromise, data exfiltration, and persistent backdoors. The CVSS v3.1 score of 8.8 reflects the network attack vector, low attack complexity, privileges required at the Contributor level, no user interaction, unchanged scope, and high impact on confidentiality, integrity, and availability. Although no known exploits are currently reported in the wild, the vulnerability’s characteristics make it a critical risk for WordPress sites using this plugin.

The impact of CVE-2025-0366 is severe for organizations running WordPress sites with the vulnerable Jupiter X Core plugin. Successful exploitation allows attackers with relatively low privileges (Contributor-level) to execute arbitrary PHP code remotely, which can lead to complete site takeover. This includes the ability to bypass access controls, steal sensitive data such as user credentials and personal information, modify or delete content, and deploy persistent malware or backdoors. The compromise of web servers hosting WordPress sites can also serve as a pivot point for further attacks within an organization's network. Given WordPress’s widespread use globally, this vulnerability poses a significant risk to businesses, government agencies, and individuals relying on the affected plugin for website functionality. The ease of exploitation and high impact on confidentiality, integrity, and availability make this a critical threat that can disrupt operations, damage reputations, and incur financial losses.

To mitigate CVE-2025-0366, organizations should immediately update the Jupiter X Core plugin to a version that patches this vulnerability once available. Until a patch is released, administrators should restrict Contributor-level and higher permissions to trusted users only, minimizing the risk of malicious uploads. Disable or restrict SVG file uploads if not essential, as SVG files are the attack vector for this vulnerability. Implement Web Application Firewall (WAF) rules to detect and block attempts to upload or include malicious SVG files. Conduct regular security audits of user roles and permissions to ensure least privilege principles are enforced. Additionally, monitor web server logs for suspicious file uploads and inclusion attempts. Employ runtime application self-protection (RASP) or intrusion detection systems (IDS) to detect anomalous PHP execution patterns. Finally, maintain regular backups and have an incident response plan ready to quickly remediate any compromise resulting from exploitation.