The National Information Technology Development Agency (NITDA), through its Computer Emergency Readiness and Response Team (CERRT.NG), has issued an urgent advisory on a critical security flaw discovered in the Jupiter X Core plugin for WordPress.
The vulnerability, identified as CVE-2025-0366, is a threat to websites using this popular theme framework, which could allow cybercriminals to take full control of affected sites.
According to the advisory, the security flaw is categorised as an unauthenticated privilege escalation vulnerability. This means that attackers can exploit the flaw to execute arbitrary code or gain administrative access without needing authentication credentials.
Such vulnerabilities are particularly dangerous because they grant attackers unrestricted control over a compromised website.
If exploited, cybercriminals could:
- Gain full control over affected WordPress sites
- Modify or delete website content
- Inject malware or malicious scripts
- Deface websites or redirect traffic
- Steal sensitive user data
With many businesses, organisations, and individuals relying on WordPress, the impact of this vulnerability could be severe, particularly for website owners handling sensitive customer information.
Recommended Actions for Website Owners
To mitigate the risk posed by this vulnerability, NITDA has outlined the following precautionary measures:
- Update the Plugin: Website administrators should immediately update the Jupiter X Core plugin to the latest patched version 4.8.8.
- Remove Unused or Outdated Plugins: Unused or obsolete plugins should be deleted to reduce potential attack surfaces.
- Monitor for Unauthorised Access: Regularly check for suspicious admin accounts or unexpected changes in website content.
- Implement Strong Authentication Measures: Enforce strong passwords, two-factor authentication (2FA), and role-based access controls to improve security.
Cyber threats targeting WordPress plugins are currently increasing and security experts have frequently warned that outdated or poorly maintained plugins are a leading entry point for hackers.
With WordPress powering over 40% of all websites globally, vulnerabilities in widely used plugins like Jupiter X Core present an attractive target for cybercriminals.
Recently, similar security issues have been identified in other WordPress extensions, leading to data breaches, malware infections, and website defacements.
Experts recommend that website owners adopt a more protective approach to cybersecurity, including regular updates, security audits, and implementing website firewalls to block malicious activity.
