Skip to main content

Kubio Ai Page Builder EUVDEUVD-2026-17355

| CVE-2026-34887 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-03-31 Patchstack GHSA-99wg-6qg5-fg93
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

3
EUVD ID Assigned
Mar 31, 2026 - 10:45 euvd
EUVD-2026-17355
Analysis Generated
Mar 31, 2026 - 10:45 vuln.today
CVE Published
Mar 31, 2026 - 10:19 nvd
MEDIUM 6.5

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Extend Themes Kubio AI Page Builder allows Stored XSS.This issue affects Kubio AI Page Builder: from n/a through 2.7.0.

AnalysisAI

Stored cross-site scripting (XSS) in Extend Themes Kubio AI Page Builder through version 2.7.0 allows authenticated users to inject malicious scripts that execute in the browsers of other users viewing affected pages. An attacker with user account access can inject unescaped input during page generation, leading to session hijacking, credential theft, or malware distribution. No public exploit code has been identified at the time of analysis.

Technical ContextAI

Kubio AI Page Builder is a WordPress plugin for visual page construction. The vulnerability stems from improper neutralization of user input (CWE-79) during web page generation, meaning user-supplied data is not adequately sanitized or escaped before being rendered in HTML. This is a classic stored XSS vulnerability where malicious payloads persist in the database and are served to subsequent visitors. The plugin processes page builder content without sufficient output encoding, allowing attackers to inject JavaScript that executes in the context of the WordPress site.

RemediationAI

Users of Kubio AI Page Builder should upgrade to a patched version released after 2.7.0. Consult the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/kubio/vulnerability/wordpress-kubio-ai-page-builder-plugin-2-7-0-cross-site-scripting-xss-vulnerability) for the specific patched version number and update instructions. As an interim measure, site administrators should restrict page builder access to trusted users only, review recent page edits for malicious content, and consider implementing Web Application Firewall (WAF) rules to detect and block XSS payloads.

Share

EUVD-2026-17355 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy