JOIN BREACHFORUMS NEW TELEGRAM
WordPress LFI to RCE - CVE-2025-0366
by Serious - Saturday February 22, 2025 at 06:00 PM
Banned

Posts: 4
Threads: 4
Joined: Feb 2025
Reputation: 10
#1
Feb 22, 2025, 06:00 PM (This post was last modified: Feb 22, 2025, 06:03 PM by Serious.)
Jupiter X Core, a popular Wordpress Plugin with more than 90,000 users worldwide, is vulnerable to a high-severity flaw that allows threat actors to run arbitrary files on the server, essentially giving them the ability to fully take over target websites, experts have warned. 
  
WordPress security researchers Wordfence revealed it was found to be vulnerable to a “Local File Inclusion to Remote Code Execution” flaw, now tracked as CVE-2025-0366. It has a severity score of 8.8/10 (high) and affects all versions up to, and including 4.8.7.
Jupiter X Core is a companion plugin for the Jupiter X WordPress theme, developed by Artbees. It extends the functionality of the theme by adding advanced features, such as custom page-building elements, theme customizer options, and enhanced design controls. The plugin is primarily used by web designers, developers, and business owners.
SVG uploads as the problem
“This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files,” Wordfence explained. “This can be used to bypass access controls, obtain sensitive data, or achieve code execution.”
 
The Jupiter X Core plugin for WordPress is vulnerable to Local File Inclusion to Remote Code Execution in all versions up to, and including, 4.8.7 via the get_svg() function. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution. In this specific case, an attacker can create a form that allows SVG uploads, upload an SVG file with malicious content and then include the SVG file in a post to achieve remote code execution. This means it is relatively easy to gain remote code execution as a contributor-level user and above by default.


This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Attempting to sell IDs/real documents
Reply
Banned

Posts: 85
Threads: 0
Joined: Apr 2026
Reputation: 0
#2
Feb 05, 2026, 09:53 AM
Interesting thanks for everything

This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Contact Administration.
Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  POC CVE-2025-24071 caca28sapo1 17 1,239 9 hours ago
Last Post: Test689
  New Zer0 Day Wordpress A3g00n 83 4,246 May 11, 2026, 08:17 PM
Last Post: j4ng0
  {SECRET} DATABASE OF EXPLOITS lulagain 441 28,206 May 11, 2026, 05:41 PM
Last Post: chiki
  Google Dorks for finding SQL injection vulnerabilities and other security issues 1yush 69 3,787 May 11, 2026, 03:55 PM
Last Post: fkmonkey
  CVE-2024-32002 RCE PoC HA_twck 2 587 May 11, 2026, 01:33 PM
Last Post: newxiao1

Forum Jump:


 Users browsing this forum: 1 Guest(s)