CVE-2025-2294
CRITICALCVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3Description
The Kubio AI Page Builder plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.5.1 via thekubio_hybrid_theme_load_template function. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.
Analysis
The Kubio AI Page Builder WordPress plugin through version 2.5.1 contains an unauthenticated Local File Inclusion via the kubio_hybrid_theme_load_template function. Attackers can include and execute arbitrary PHP files on the server, achieving remote code execution through techniques like PHP filter chains or log poisoning.
Technical Context
The kubio_hybrid_theme_load_template function accepts a template path parameter without proper validation. An unauthenticated attacker can traverse directories to include arbitrary PHP files. Using PHP filter chain techniques (php://filter/convert.base64-decode), the attacker can achieve code execution without requiring a pre-existing PHP file on the server.
Affected Products
['Kubio AI Page Builder <= 2.5.1']
Remediation
Update Kubio to version 2.5.2 or later. Implement strict template path validation using an allowlist. Deploy WAF rules detecting PHP filter chain patterns and path traversal.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today