WordPress Javo Core プラグイン <= 3.0.0.266 - 任意のコード実行 (Arbitrary Code Execution) の脆弱性

The Code Injection vulnerability in Javo Core is particularly severe because it allows an attacker to execute arbitrary code within the context of the WordPress plugin. This means an attacker could potentially gain full control of the WordPress site, including access to sensitive data, modification of content, and installation of malicious software. Successful exploitation could lead to data breaches, website defacement, and the spread of malware. The impact is amplified if the WordPress site handles sensitive user data or is integrated with other critical systems.

WordPress websites utilizing the Javo Core plugin, particularly those running older, unpatched versions (0.0 - 3.0.0.266), are at risk. Shared hosting environments where multiple websites share the same server resources are also at increased risk, as a compromise of one site could potentially lead to the compromise of others.

• wordpress / composer / npm:

grep -r "javothemes/javo-core" /var/www/html/

• wordpress / composer / npm:

wp plugin list | grep javo-core

• wordpress / composer / npm:

wp plugin status javo-core

• generic web: Check WordPress plugin directory for updates and security advisories related to Javo Core.

1. 2025-12-18Disclosure

   disclosure

1. 予約済み2025-09-25
2. 公開日2025-12-18
3. 更新日2026-04-28
4. EPSS 更新日2026-03-23

The primary mitigation for CVE-2025-60068 is to upgrade to a patched version of the Javo Core plugin as soon as it becomes available. Until a patch is released, consider disabling the Javo Core plugin if it is not essential. As a temporary workaround, implement strict input validation and sanitization on any user-supplied data that is processed by the plugin. Web Application Firewalls (WAFs) configured to detect and block code injection attempts can also provide a layer of protection. Monitor WordPress logs for suspicious activity related to Javo Core.