CVE-2025-2294
published 2025-03-28CVE-2025-2294: The Kubio AI Page Builder plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.5.1 via…
PriorityP193critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
76.76%
99.5th percentile
The Kubio AI Page Builder plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.5.1 via thekubio_hybrid_theme_load_template function. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| extendthemes | kubio_ai_page_builder | <= 2.5.1 | — |
Detection & IOCsextracted from sources · hover to see the quote
url/?__kubio-site-edit-iframe-preview=1&__kubio-site-edit-iframe-classic-template=../../../../../../../../etc/passwd↗
yara↗
body contains "/plugins/kubio" AND URL contains "__kubio-site-edit-iframe-preview=1" AND URL contains "__kubio-site-edit-iframe-classic-template"
- →Detect LFI exploitation attempts by monitoring HTTP GET requests containing both query parameters '__kubio-site-edit-iframe-preview=1' and '__kubio-site-edit-iframe-classic-template=' with path traversal sequences (e.g., '../'). ↗
- →Fingerprint vulnerable installations by checking for the presence of 'wp-content/plugins/kubio/' in HTTP response bodies, as used by the Nuclei template FOFA query. ↗
- →Confirm exploitation success by checking if the HTTP 200 response body matches the regex pattern for /etc/passwd content: 'root:.*:0:0:' ↗
- →Attackers may probe plugin version via unauthenticated GET to wp-content/plugins/kubio/readme.txt and parse 'Stable tag:' to confirm version <= 2.5.1 before exploiting. ↗
- →The vulnerable code path is in kubio_hybrid_theme_load_template function at editor-hooks.php line 32; monitor PHP include/require calls originating from this function with user-controlled input. ↗
- ·The vulnerability is unauthenticated — no session, cookie, or authentication token is required to trigger the LFI, making it trivially exploitable at scale. ↗
- ·All versions up to and including 2.5.1 are affected; the fix is present in version 2.5.2. Ensure plugin version checks in detection logic use <= 2.5.1 as the vulnerable range. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-8fp6-h7xc-pjf2: The Kubio AI Page Builder plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2
ghsa_unreviewed·2025-03-28
CVE-2025-2294 [CRITICAL] CWE-22 GHSA-8fp6-h7xc-pjf2: The Kubio AI Page Builder plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2
The Kubio AI Page Builder plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.5.1 via thekubio_hybrid_theme_load_template function. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.
VulnCheck
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
vulncheck·2025·CVSS 9.8
CVE-2025-2294 [CRITICAL] Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
The Kubio AI Page Builder plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.5.1 via thekubio_hybrid_theme_load_template function. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.
Affected: Kubio AI Page Builder
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation Re
No detection rules found.
Exploit-DB
Kubio AI Page Builder 2.5.1 - Local File Inclusion (LFI)
exploitdb·2025-04-05·CVSS 9.8
CVE-2025-2294 [CRITICAL] Kubio AI Page Builder 2.5.1 - Local File Inclusion (LFI)
Kubio AI Page Builder 2.5.1 - Local File Inclusion (LFI)
---
# Exploit Title: Kubio AI Page Builder <= 2.5.1 - Local File Inclusion (LFI)
# Date: 2025-04-04
# Exploit Author: Sheikh Mohammad Hasan (https://github.com/4m3rr0r)
# Vendor Homepage: https://wordpress.org/plugins/kubio/
# Software Link: https://downloads.wordpress.org/plugin/kubio.2.5.1.zip
# Reference: https://www.cve.org/CVERecord?id=CVE-2025-2294
# Version: <= 2.5.1
# Tested on: WordPress 6.4.2 (Ubuntu 22.04 LTS)
# CVE: CVE-2025-2294
"""
Description:
The Kubio AI Page Builder plugin for WordPress contains a Local File Inclusion vulnerability
in the `kubio_hybrid_theme_load_template` function. This allows unauthenticated attackers to
read arbitrary files via path traversal. Can lead to RCE when combined with file upload ca
Nuclei
Kubio AI Page Builder <= 2.5.1 - Local File Inclusion
nuclei·CVSS 9.8
CVE-2025-2294 [CRITICAL] Kubio AI Page Builder <= 2.5.1 - Local File Inclusion
Kubio AI Page Builder <= 2.5.1 - Local File Inclusion
The Kubio AI Page Builder plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.5.1 via thekubio_hybrid_theme_load_template function. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.
Template:
id: CVE-2025-2294
info:
name: Kubio AI Page Builder <= 2.5.1 - Local File Inclusion
author: s4e-io
severity: critical
description: |
The Kubio AI Page Builder plugin for WordPress is vulnerable to Local File Inclusion
No writeups or analysis indexed.
2025-03-28
Published
Exploited in the wild