NITDA issues urgent warning to website owners against Jupiter X Core WordPress plugin

The National Information Technology Development Agency (NITDA) has issued an urgent cybersecurity alert to Nigerian website owners about a critical security vulnerability in the widely used Jupiter X Core plugin for WordPress.

The agency disclosed this development via its official X account, urging immediate action to protect websites from potential cyberattacks. The flaw, identified as CVE-2025-0366, has been classified as an “unauthenticated privilege escalation vulnerability,” posing a severe risk to WordPress-powered sites across the country.

According to NITDA, the advisory stems from a detailed report by the Computer Emergency Readiness and Response Team Nigeria (CERNT.NG), a division under the agency. The vulnerability allows attackers to bypass authentication protocols and gain administrative access to affected websites. This could enable cybercriminals to execute arbitrary code, effectively handing them full control over compromised sites. 

“A critical security flaw has been discovered in the Jupiter X Core plugin for WordPress, affecting websites using this popular theme framework,” NITDA stated in its warning.

The scope of the threat

The Jupiter X Core plugin, integral to the Jupiter X theme framework, is employed by over 90,000 active WordPress users globally, with a significant share among Nigerian website owners. The flaw, tracked as CVE-2025-0366, was first patched in an update released earlier this year, as reported by security outlets like SecurityOnline on February 19, 2025. However, NITDA’s recent alert suggests that many Nigerian websites may still be running outdated versions, leaving them exposed to exploitation.

If exploited, the vulnerability grants attackers sweeping control over affected sites. This includes the ability to modify or delete website content, inject malware to infect visitors, steal sensitive data such as customer information and login credentials, and redirect users to phishing sites designed to harvest additional personal details.

For Nigerian businesses, many of which rely on WordPress for e-commerce platforms, customer engagement portals, and online transactions, the stakes are particularly high. 

“This poses a significant risk to website owners, especially those handling sensitive user data,” NITDA warned, noting the potential for financial losses, legal repercussions, and reputational damage.

Immediate steps to mitigate the risk

In response to the threat, CERNT.NG has outlined four actionable steps for website administrators to safeguard their platforms:

1. Update to Jupiter X Core 4.8.8: The plugin developers have released a patched version, 4.8.8, which addresses the vulnerability. Website owners are urged to log into their WordPress dashboards and update the plugin without delay.
2. Remove Unused Plugins: Outdated or inactive plugins are a common entry point for attackers. Administrators should review their plugin inventory, deleting any that are no longer in use or unsupported.
3. Monitor for Suspicious Activity: Regularly audit admin accounts and site settings for unauthorised changes. If unfamiliar accounts or modifications are detected, revoke access immediately and reset all passwords.
4. Strengthen Authentication: Implement two-factor authentication (2FA) for all admin and user accounts, and enforce the use of strong, unique passwords to bolster security.

Why this matters to Nigerian businesses

WordPress powers an estimated 40% of websites globally, and its popularity extends to Nigeria, where small and medium-sized enterprises (SMEs) leverage its affordability and ease of use to establish an online presence. From e-commerce platforms to informational blogs, the platform supports a wide range of digital activities critical to economic growth.

However, this reliance also makes WordPress sites a prime target for cybercriminals seeking to exploit vulnerabilities like CVE-2025-0366.

A breach resulting from this flaw could have serious implications. For instance, malware infections could disrupt business operations, while stolen customer data might expose companies to lawsuits or regulatory penalties under Nigeria’s Data Protection Regulation (NDPR). Beyond financial and legal concerns, the loss of customer trust could prove devastating in a competitive digital marketplace.

This comes amid growing concerns about cybersecurity in Nigeria. As the country continues its digital transformation, incidents of cyberattacks have surged, targeting both public and private sector entities. The rise of online fraud, ransomware, and phishing schemes underscores the need for robust security practices, particularly among website owners who may lack the resources or expertise to fend off sophisticated threats.