Jupiter X Core WordPress Plugin Local File Inclusion Vulnerability Leading to Remote Code Execution

A vulnerability allowing local file inclusion (LFI) that can be exploited for remote code execution (RCE) has been identified in the Jupiter X Core plugin for WordPress. This issue affects all versions through 4.8.7 and arises in the get_svg() function. Authenticated attackers with Contributor-level access or higher can exploit this vulnerability by uploading an SVG file containing malicious content, which can then be executed on the server. This vulnerability could be used to bypass access controls, access sensitive information, or execute arbitrary code on the server.

Impact

Exploitation of this vulnerability allows for local file inclusion, which can be used to execute arbitrary PHP code on the server, leading to remote code execution.

Reproduction

To reproduce this vulnerability, an authenticated user with Contributor-level access or higher can upload an SVG file with malicious content through a form that allows SVG uploads. Once the file is uploaded, it can be included in a post, triggering the execution of the malicious code on the server.

Remediation

Users are advised to update the Jupiter X Core plugin to version 4.8.8 or a newer patched version.