CVE-2025-60068 MEDIUM

CVE-2025-60068: WordPress Javo Core plugin <= 3.0.0.266 - Arbitrary Code Execution vulnerability

Vendor Javothemes
Product Javo Core
Weakness CWE-94 · Code injection
Published December 18, 2025
Last update April 28, 2026

CVSS base score

6.5/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction None
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L

What the vulnerability does

01Description

Improper Control of Generation of Code ('Code Injection') vulnerability in javothemes Javo Core javo-core allows Code Injection.This issue affects Javo Core: from n/a through <= 3.0.0.266.

Explanation of Vulnerability in Simple Terms

02Summary

Javo Core versions up to 3.0.0.266 contain a code injection vulnerability that allows an attacker to inject and execute arbitrary code through network requests. The attack requires specific conditions to be met but does not require authentication or user interaction. Successful exploitation can compromise confidentiality, integrity, and availability of the affected system.

What an attacker can do

03Attacker Capabilities

Inject and execute arbitrary code on the site without authentication.

Potential impact on your site

04Site Impact

An attacker could run malicious code, steal data, modify content, or disrupt site operations.

Conditions required to exploit

05Prerequisites

Network access; specific attack conditions must be met (high complexity).

Key dates

06Disclosure timeline

December 18, 2025 CVE published
April 28, 2026 Record updated