CVE-2025-2294 in Kubio AI Page Builder Plugin
Summary
by MITRE • 03/28/2025
The Kubio AI Page Builder plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.5.1 via thekubio_hybrid_theme_load_template function. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 04/06/2025
The Kubio AI Page Builder plugin for WordPress represents a widely used tool for creating and managing website content through a visual interface. This plugin integrates deeply with WordPress core functionality and provides extensive customization options for website builders. However, version 2.5.1 and earlier contain a critical vulnerability that affects the plugin's ability to properly validate and sanitize file paths during template loading operations. The vulnerability exists within the kubio_hybrid_theme_load_template function which processes template inclusion requests without adequate input validation mechanisms.
The technical flaw stems from improper handling of user-supplied parameters within the template loading mechanism. When the kubio_hybrid_theme_load_template function receives file path information from external sources, it fails to implement proper sanitization or validation checks before passing this data to file inclusion functions. This creates a classic local file inclusion vulnerability where an attacker can manipulate the file path parameter to reference arbitrary files on the server filesystem. The vulnerability is particularly dangerous because it operates without requiring authentication, making it accessible to any remote attacker who can interact with the WordPress installation.
The operational impact of this vulnerability extends beyond simple code execution capabilities. Attackers can leverage this flaw to bypass existing access controls and gain unauthorized access to sensitive system resources. The vulnerability allows for the inclusion and execution of arbitrary PHP code, which can result in complete system compromise. Additionally, the attack vector becomes even more dangerous when combined with the ability to upload images and other file types, as attackers can potentially upload malicious files and then reference them through the LFI vulnerability. This combination creates a pathway for attackers to establish persistent backdoors, exfiltrate database credentials, or deploy additional malware within the WordPress environment.
Security professionals should immediately implement mitigation strategies including updating to the latest plugin version, which addresses the LFI vulnerability through proper input validation and sanitization. Network-based intrusion detection systems should be configured to monitor for suspicious file inclusion patterns and parameter manipulation attempts. The vulnerability aligns with CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) and represents a direct threat to the principle of least privilege in web application security. According to ATT&CK framework, this vulnerability maps to T1505.003 (Server Software Component) and T1078 (Valid Accounts) as it enables attackers to execute code with the privileges of the web server process and potentially escalate access through compromised credentials. Organizations should also implement proper file upload restrictions and ensure that all WordPress plugins are regularly updated to prevent exploitation of known vulnerabilities.