平台
wordpress
组件
javo-core
修复版本
3.0.1
CVE-2025-60068 describes a Code Injection vulnerability discovered in the Javo Core WordPress plugin. This flaw allows an attacker to inject and execute arbitrary code on a vulnerable system, potentially leading to complete site compromise. The vulnerability impacts versions from 0.0 up to and including 3.0.0.266, and a patch is expected to be released by the vendor.
The Code Injection vulnerability in Javo Core is particularly severe because it allows an attacker to execute arbitrary code within the context of the WordPress plugin. This means an attacker could potentially gain full control of the WordPress site, including access to sensitive data, modification of content, and installation of malicious software. Successful exploitation could lead to data breaches, website defacement, and the spread of malware. The impact is amplified if the WordPress site handles sensitive user data or is integrated with other critical systems.
As of the publication date (2025-12-18), there is no indication of active exploitation of CVE-2025-60068. Public proof-of-concept (POC) code is not currently available. The vulnerability has not been added to the CISA KEV catalog. The medium CVSS score suggests a moderate level of exploitability and impact.
WordPress websites utilizing the Javo Core plugin, particularly those running older, unpatched versions (0.0 - 3.0.0.266), are at risk. Shared hosting environments where multiple websites share the same server resources are also at increased risk, as a compromise of one site could potentially lead to the compromise of others.
• wordpress / composer / npm:
grep -r "javothemes/javo-core" /var/www/html/• wordpress / composer / npm:
wp plugin list | grep javo-core• wordpress / composer / npm:
wp plugin status javo-core• generic web: Check WordPress plugin directory for updates and security advisories related to Javo Core.
disclosure
漏洞利用状态
EPSS
0.06% (18% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation for CVE-2025-60068 is to upgrade to a patched version of the Javo Core plugin as soon as it becomes available. Until a patch is released, consider disabling the Javo Core plugin if it is not essential. As a temporary workaround, implement strict input validation and sanitization on any user-supplied data that is processed by the plugin. Web Application Firewalls (WAFs) configured to detect and block code injection attempts can also provide a layer of protection. Monitor WordPress logs for suspicious activity related to Javo Core.
没有已知的补丁可用。请深入审查漏洞的详细信息,并根据您组织的风险承受能力采取缓解措施。最好卸载受影响的软件并寻找替代方案。
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2025-60068 is a Code Injection vulnerability affecting the Javo Core WordPress plugin, allowing attackers to execute arbitrary code. It impacts versions 0.0 through 3.0.0.266.
You are affected if your WordPress site uses the Javo Core plugin and is running a version between 0.0 and 3.0.0.266. Check your plugin versions immediately.
Upgrade to the latest version of the Javo Core plugin as soon as a patch is released by the vendor. Until then, disable the plugin or implement strict input validation.
As of December 18, 2025, there is no confirmed active exploitation of CVE-2025-60068, but it's crucial to apply the fix promptly.
Refer to the Javo Core plugin's official website or WordPress plugin directory for the latest security advisory and patch information.
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。