How to fix CVE-2025-0366?

Within 30 days: Identify all affected systems running for WordPress is vulnerable to Local File Inclusion to Remot and apply vendor patches as part of regular patch cycle. Vendor patch is available.

Is PHP affected by CVE-2025-0366?

Organizations using Jupiter X Core face significant risk from CVE-2025-0366 rated CVSS 8.8. Successful exploitation could significantly impact the confidentiality, integrity, or availability of affected systems. A patch is available and should be applied as part of regular vulnerability management.

CVE-2025-0366

HIGH

2025-02-01 [email protected]

8.8

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 28, 2026 - 18:06 vuln.today

Patch Released

Mar 28, 2026 - 18:06 nvd

Patch available

CVE Published

Feb 01, 2025 - 06:15 nvd

HIGH 8.8

Description

The Jupiter X Core plugin for WordPress is vulnerable to Local File Inclusion to Remote Code Execution in all versions up to, and including, 4.8.7 via the get_svg() function. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution. In this specific case, an attacker can create a form that allows SVG uploads, upload an SVG file with malicious content and then include the SVG file in a post to achieve remote code execution. This means it is relatively easy to gain remote code execution as a contributor-level user and above by default.

Analysis

The Jupiter X Core plugin for WordPress is vulnerable to Local File Inclusion to Remote Code Execution in all versions up to, and including, 4.8.7 via the get_svg() function. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity.

Technical Context

This vulnerability is classified under CWE-98. The Jupiter X Core plugin for WordPress is vulnerable to Local File Inclusion to Remote Code Execution in all versions up to, and including, 4.8.7 via the get_svg() function. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution. In this specific case, an attacker can create a form that allows SVG uploads, upload an SVG file with malicious content and then include the SVG file in a post to achieve remote code execution. This means it is relatively easy to gain remote code execution as a contributor-level user and above by default. Affected products include: Artbees Jupiter X Core.

Affected Products

Artbees Jupiter X Core.

Remediation

A vendor patch is available. Apply the latest security update as soon as possible. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.8

CVSS: +44

POC: 0

CVE-2025-0366 vulnerability details – vuln.today

Back

CVE-2025-0366

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

CVE-2025-0366

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

External POC / Exploit Code