Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
4DescriptionCVE.org
The Kubio plugin for WordPress is vulnerable to Arbitrary File Upload in versions up to and including 2.7.2. This is due to insufficient capability checks in the kubio_rest_pre_insert_import_assets() function, which is hooked to the rest_pre_insert_{post_type} filter for posts, pages, templates, and template parts. When a post is created or updated via the REST API, Kubio parses block attributes looking for URLs in the 'kubio' attribute namespace and automatically imports them via importRemoteFile() without verifying the user has the upload_files capability. This makes it possible for authenticated attackers with Contributor-level access and above to bypass WordPress's normal media upload restrictions and upload files fetched from external URLs to the media library, creating attachment posts in the database.
AnalysisAI
Kubio page builder plugin for WordPress allows authenticated attackers with Contributor-level access to upload arbitrary files from external URLs by bypassing capability checks in the REST API post creation handler. The kubio_rest_pre_insert_import_assets() function automatically imports remote files referenced in block attributes without verifying the user possesses the upload_files capability, violating WordPress's normal media upload restrictions. Affected versions are up to and including 2.7.2; no public exploit code has been identified at the time of analysis.
Technical ContextAI
The vulnerability exists in Kubio's REST API integration, specifically in the kubio_rest_pre_insert_import_assets() hook attached to rest_pre_insert_{post_type} for posts, pages, templates, and template parts. When WordPress processes a REST API request to create or update content, Kubio scans block attributes in the 'kubio' namespace for URLs and automatically invokes importRemoteFile() to fetch and import those files into the media library as attachment posts. The root cause is CWE-862 (Missing Authorization), as the function performs file operations without calling WordPress's is_user_logged_in() check or verifying the user has the upload_files capability via current_user_can('upload_files'). The affected product is identified by CPE cpe:2.3:a:extendthemes:kubio_ai_page_builder, which is the Kubio AI Page Builder plugin maintained by ExtendThemes. The REST API endpoint is the standard WordPress REST API accessible at /wp-json/wp/v2/, meaning attackers need only valid WordPress credentials at Contributor level or higher.
RemediationAI
Update Kubio AI Page Builder to version 2.7.3 or later, which patches the vulnerable kubio_rest_pre_insert_import_assets() function to properly check current_user_can('upload_files') before importing remote files. The patch is available via the WordPress plugin repository (https://plugins.trac.wordpress.org/) and can be applied by navigating to Plugins > Installed Plugins in the WordPress admin dashboard and clicking Update next to Kubio. For sites unable to immediately patch, implement a temporary workaround by restricting REST API access to Contributor and above accounts using a security plugin such as Wordfence or a hardened .htaccess rule limiting POST/PUT requests to /wp-json/wp/v2/posts, /wp-json/wp/v2/pages, /wp-json/wp/v2/wp_template, and /wp-json/wp/v2/wp_template_part endpoints to users with Edit Posts capability. Additionally, audit WordPress user roles and remove Contributor-level access from any accounts that do not require it, as Contributor is the minimum privilege level required for exploitation. Note that disabling the REST API entirely will prevent exploitation but may break other functionality depending on your WordPress configuration.
The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail comman
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
The Hash Form - Drag & Drop Form Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing fil
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
The Simple File List plugin for WordPress through version 4.2.2 contains an unauthenticated remote code execution vulner
The AI Engine WordPress plugin through version 3.1.3 exposes Bearer Token values through the /mcp/v1/ REST API endpoint
The Ninja Forms plugin before 2.9.42.1 for WordPress allows remote attackers to conduct PHP object injection attacks via
The Business Directory Plugin - Easy Listing Directories for WordPress plugin for WordPress is vulnerable to time-based
SQL injection in the NotificationX WordPress plugin (versions up to and including 2.8.2) allows unauthenticated remote a
The POST SMTP Mailer - Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress i
The MasterStudy LMS WordPress Plugin - for Online Courses and Education plugin for WordPress is vulnerable to union base
The Country State City Dropdown CF7 plugin for WordPress is vulnerable to SQL Injection via the ‘cnt’ and 'sid' paramete
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-23358
GHSA-69wp-qf6q-mf28