Severity by source
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
3DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Extend Themes Kubio AI Page Builder allows Stored XSS.This issue affects Kubio AI Page Builder: from n/a through 2.7.0.
AnalysisAI
Stored cross-site scripting (XSS) in Extend Themes Kubio AI Page Builder through version 2.7.0 allows authenticated users to inject malicious scripts that execute in the browsers of other users viewing affected pages. An attacker with user account access can inject unescaped input during page generation, leading to session hijacking, credential theft, or malware distribution. No public exploit code has been identified at the time of analysis.
Technical ContextAI
Kubio AI Page Builder is a WordPress plugin for visual page construction. The vulnerability stems from improper neutralization of user input (CWE-79) during web page generation, meaning user-supplied data is not adequately sanitized or escaped before being rendered in HTML. This is a classic stored XSS vulnerability where malicious payloads persist in the database and are served to subsequent visitors. The plugin processes page builder content without sufficient output encoding, allowing attackers to inject JavaScript that executes in the context of the WordPress site.
RemediationAI
Users of Kubio AI Page Builder should upgrade to a patched version released after 2.7.0. Consult the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/kubio/vulnerability/wordpress-kubio-ai-page-builder-plugin-2-7-0-cross-site-scripting-xss-vulnerability) for the specific patched version number and update instructions. As an interim measure, site administrators should restrict page builder access to trusted users only, review recent page edits for malicious content, and consider implementing Web Application Firewall (WAF) rules to detect and block XSS payloads.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-17355
GHSA-99wg-6qg5-fg93