Skip to main content

WordPress CVE-2026-5427

| EUVDEUVD-2026-23358 MEDIUM
Missing Authorization (CWE-862)
2026-04-17 Wordfence GHSA-69wp-qf6q-mf28
5.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

4
Analysis Generated
Apr 17, 2026 - 04:41 vuln.today
EUVD ID Assigned
Apr 17, 2026 - 04:30 euvd
EUVD-2026-23358
Analysis Generated
Apr 17, 2026 - 04:30 vuln.today
CVE Published
Apr 17, 2026 - 03:36 nvd
MEDIUM 5.3

DescriptionCVE.org

The Kubio plugin for WordPress is vulnerable to Arbitrary File Upload in versions up to and including 2.7.2. This is due to insufficient capability checks in the kubio_rest_pre_insert_import_assets() function, which is hooked to the rest_pre_insert_{post_type} filter for posts, pages, templates, and template parts. When a post is created or updated via the REST API, Kubio parses block attributes looking for URLs in the 'kubio' attribute namespace and automatically imports them via importRemoteFile() without verifying the user has the upload_files capability. This makes it possible for authenticated attackers with Contributor-level access and above to bypass WordPress's normal media upload restrictions and upload files fetched from external URLs to the media library, creating attachment posts in the database.

AnalysisAI

Kubio page builder plugin for WordPress allows authenticated attackers with Contributor-level access to upload arbitrary files from external URLs by bypassing capability checks in the REST API post creation handler. The kubio_rest_pre_insert_import_assets() function automatically imports remote files referenced in block attributes without verifying the user possesses the upload_files capability, violating WordPress's normal media upload restrictions. Affected versions are up to and including 2.7.2; no public exploit code has been identified at the time of analysis.

Technical ContextAI

The vulnerability exists in Kubio's REST API integration, specifically in the kubio_rest_pre_insert_import_assets() hook attached to rest_pre_insert_{post_type} for posts, pages, templates, and template parts. When WordPress processes a REST API request to create or update content, Kubio scans block attributes in the 'kubio' namespace for URLs and automatically invokes importRemoteFile() to fetch and import those files into the media library as attachment posts. The root cause is CWE-862 (Missing Authorization), as the function performs file operations without calling WordPress's is_user_logged_in() check or verifying the user has the upload_files capability via current_user_can('upload_files'). The affected product is identified by CPE cpe:2.3:a:extendthemes:kubio_ai_page_builder, which is the Kubio AI Page Builder plugin maintained by ExtendThemes. The REST API endpoint is the standard WordPress REST API accessible at /wp-json/wp/v2/, meaning attackers need only valid WordPress credentials at Contributor level or higher.

RemediationAI

Update Kubio AI Page Builder to version 2.7.3 or later, which patches the vulnerable kubio_rest_pre_insert_import_assets() function to properly check current_user_can('upload_files') before importing remote files. The patch is available via the WordPress plugin repository (https://plugins.trac.wordpress.org/) and can be applied by navigating to Plugins > Installed Plugins in the WordPress admin dashboard and clicking Update next to Kubio. For sites unable to immediately patch, implement a temporary workaround by restricting REST API access to Contributor and above accounts using a security plugin such as Wordfence or a hardened .htaccess rule limiting POST/PUT requests to /wp-json/wp/v2/posts, /wp-json/wp/v2/pages, /wp-json/wp/v2/wp_template, and /wp-json/wp/v2/wp_template_part endpoints to users with Edit Posts capability. Additionally, audit WordPress user roles and remove Contributor-level access from any accounts that do not require it, as Contributor is the minimum privilege level required for exploitation. Note that disabling the REST API entirely will prevent exploitation but may break other functionality depending on your WordPress configuration.

CVE-2016-10045 CRITICAL POC
9.8 Dec 30

The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail comman

CVE-2023-6553 CRITICAL POC
9.8 Dec 15

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1

CVE-2024-5084 CRITICAL POC
9.8 May 23

The Hash Form - Drag & Drop Form Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing fil

CVE-2024-8353 CRITICAL POC
9.8 Sep 28

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

CVE-2020-36847 CRITICAL POC
9.8 Jul 12

The Simple File List plugin for WordPress through version 4.2.2 contains an unauthenticated remote code execution vulner

CVE-2025-11749 CRITICAL POC
9.8 Nov 05

The AI Engine WordPress plugin through version 3.1.3 exposes Bearer Token values through the /mcp/v1/ REST API endpoint

CVE-2016-1209 CRITICAL POC
9.8 May 14

The Ninja Forms plugin before 2.9.42.1 for WordPress allows remote attackers to conduct PHP object injection attacks via

CVE-2024-4443 CRITICAL POC
9.8 May 22

The Business Directory Plugin - Easy Listing Directories for WordPress plugin for WordPress is vulnerable to time-based

CVE-2024-1698 CRITICAL POC
9.8 Feb 27

SQL injection in the NotificationX WordPress plugin (versions up to and including 2.8.2) allows unauthenticated remote a

CVE-2023-6875 CRITICAL POC
9.8 Jan 11

The POST SMTP Mailer - Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress i

CVE-2024-1512 CRITICAL POC
9.8 Feb 17

The MasterStudy LMS WordPress Plugin - for Online Courses and Education plugin for WordPress is vulnerable to union base

CVE-2024-3495 CRITICAL POC
9.8 May 22

The Country State City Dropdown CF7 plugin for WordPress is vulnerable to SQL Injection via the ‘cnt’ and 'sid' paramete

Share

CVE-2026-5427 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy