cbcvebase.
CVE-2025-2294
published 2025-03-28

CVE-2025-2294: The Kubio AI Page Builder plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.5.1 via…

PriorityP193critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
76.76%
99.5th percentile
The Kubio AI Page Builder plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.5.1 via thekubio_hybrid_theme_load_template function. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.

Affected

1 ranges
VendorProductVersion rangeFixed in
extendthemeskubio_ai_page_builder<= 2.5.1

Detection & IOCsextracted from sources · hover to see the quote

url/?__kubio-site-edit-iframe-preview=1&__kubio-site-edit-iframe-classic-template=../../../../../../../../etc/passwd
pathwp-content/plugins/kubio/readme.txt
pathwp-content/plugins/kubio/lib/integrations/third-party-themes/editor-hooks.php
other__kubio-site-edit-iframe-preview=1
yara
body contains "/plugins/kubio" AND URL contains "__kubio-site-edit-iframe-preview=1" AND URL contains "__kubio-site-edit-iframe-classic-template"
  • Detect LFI exploitation attempts by monitoring HTTP GET requests containing both query parameters '__kubio-site-edit-iframe-preview=1' and '__kubio-site-edit-iframe-classic-template=' with path traversal sequences (e.g., '../').
  • Fingerprint vulnerable installations by checking for the presence of 'wp-content/plugins/kubio/' in HTTP response bodies, as used by the Nuclei template FOFA query.
  • Confirm exploitation success by checking if the HTTP 200 response body matches the regex pattern for /etc/passwd content: 'root:.*:0:0:'
  • Attackers may probe plugin version via unauthenticated GET to wp-content/plugins/kubio/readme.txt and parse 'Stable tag:' to confirm version <= 2.5.1 before exploiting.
  • The vulnerable code path is in kubio_hybrid_theme_load_template function at editor-hooks.php line 32; monitor PHP include/require calls originating from this function with user-controlled input.
  • ·The vulnerability is unauthenticated — no session, cookie, or authentication token is required to trigger the LFI, making it trivially exploitable at scale.
  • ·All versions up to and including 2.5.1 are affected; the fix is present in version 2.5.2. Ensure plugin version checks in detection logic use <= 2.5.1 as the vulnerable range.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.