CVE-2025-0366
Jupiter X Core <= 4.8.7 - Authenticated (Contributor+) SVG Upload to Local File Inclusion (Remote Code Execution)The Jupiter X Core plugin for WordPress is vulnerable to Local File Inclusion to Remote Code Execution in all versions up to, and including, 4.8.7 via the get_svg() function. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution. In this specific case, an attacker can create a form that allows SVG uploads, upload an SVG file with malicious content and then include the SVG file in a post to achieve remote code execution. This means it is relatively easy to gain remote code execution as a contributor-level user and above by default.
We have discovered 8,783 live websites that are affected by CVE-2025-0366.
Affected Software
| Product |  Jupiterx Core |
| Category | Wordpress Plugins |
| Vulnerable Domains | 8,783 live websites (90.17% of Jupiterx Core install base) |
| Vulnerable Versions |
|
| Vulnerable Versions Count | 51 versions ( 94.44% of all versions) |
Common Weakness Enumeration
CWE-98 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')Details
- Published - Feb 1, 2025
- Updated - Feb 3, 2025
Credits
- Matthew Rollings (finder)
CWE
CVE References
CWE References
CVE-2025-0366 usage by Country
 United States | 3,507 websites |
 Germany | 1,098 websites |
 France | 743 websites |
 Netherlands | 348 websites |
 GB | 318 websites |
 Spain | 292 websites |
 Italy | 276 websites |
 Cyprus | 160 websites |
 Switzerland | 157 websites |
 Canada | 153 websites |
CVE-2025-0366 usage by TLD
| .com | 3,830 websites |
| .de | 518 websites |
| .org | 410 websites |
| .nl | 397 websites |
| .fr | 305 websites |
| .it | 281 websites |
| .co.uk | 241 websites |
| .com.br | 218 websites |
| .ca | 186 websites |
| .com.au | 177 websites |
Vulnerable Versions
Vulnerable versions are highlighted in redWebsites affected by CVE-2025-0366
Top websites that are affected by CVE-2025-0366. Please click on the "Contact us" link to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| *************************.com | United States | *,*** | |
| ************.nl | Netherlands | *,*** | |
| *********.com | United States | **,*** | |
| **************.com | United States | **,*** | |
| *******************.com | United States | **,*** | |
| *******.net | United States | **,*** | |
| *******************************.com | United States | **,*** | |
| ****************.org | United States | **,*** | |
| *********************.com | United States | **,*** | |
| ***.org | United States | **,*** |
FAQ
CVE-2025-0366 is Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') in Jupiterx Core
A total of 8,783 websites have been identified as vulnerable to CVE-2025-0366, discovered through global website indexing conducted by WebTechSurvey.
Jupiterx Core is susceptible to CVE-2025-0366 vulnerability.
Jupiterx Core versions before, and including, 4.8.7 are vulnerable to CVE-2025-0366.
References
- https://www.wordfence.com/threat-intel/vulnerabilities/id/1a20dc1d-eb7c-47ac-ad9a-ec4c0d5db62e?source=cve
- https://plugins.trac.wordpress.org/changeset/3231122/jupiterx-core/trunk/includes/extensions/raven/includes/modules/video/widgets/video.php
- https://plugins.trac.wordpress.org/changeset/3231122/jupiterx-core/trunk/includes/extensions/raven/includes/modules/forms/classes/ajax-handler.php