CVE-2025-0366

CVSS 3.1 Score 8.8 of 10 (high)

Attack Complexity low

Confidentiality high

Integrity high

Availability high

Privileges Required low

Scope unchanged

Details

Published Feb 1, 2025

CWE ID 98

Summary

CVE-2025-0366 is a vulnerability affecting the Jupiter X Core plugin for WordPress. This issue allows authenticated attackers with Contributor-level access and above to execute arbitrary PHP code on the server via the get_svg() function. The vulnerability, which impacts all versions up to and including 4.8.7, enables attackers to bypass access controls, obtain sensitive data, or achieve remote code execution. An attacker can exploit this vulnerability by creating a form that allows SVG uploads, uploading an SVG file with malicious content, and including the SVG file in a post. This makes it relatively easy for attackers to gain remote code execution as a contributor-level user and above by default.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.

Share

Advisories, Assessments, and Mitigations

Back to Vulnerability Database