Vulnerability detail
Enriched intelligence for a single CVE
Critical
CVE-2025-2294
PUBLISHEDKubio AI Page Builder <= 2.5.1 - Unauthenticated Local File Inclusion
- Vendor
- extendthemes
- Product
- Kubio AI Page Builder
- Published
- Mar 28, 2025
- EPSS
- —
Description
The Kubio AI Page Builder plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.5.1 via thekubio_hybrid_theme_load_template function. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.
CVSS scores
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Exploitation status
Proof of concept available
Recorded 2025-04-26 16:59:17 UTC · Source
SSVC decision points
- Exploitation
- none
- Automatable
- Yes
- Technical impact
- total
Known exploited vulnerability sources
Catalogues that list this CVE as a known exploited vulnerability.
| Source | Added |
|---|---|
| The Shadowserver (via CIRCL) | Jun 24, 2025 |
Scanner integrations
| Scanner | Reference | Detected |
|---|---|---|
| Nuclei | https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2025/CVE-2025-2294.yaml | Apr 25, 2025 |
Potential proof of concepts
These PoCs are unverified and could contain malware. Use at your own risk.
github · Created 2025-04-26 16:59:17 UTC · 0 stars
github · Created 2025-04-15 19:27:16 UTC · 0 stars
Kubio AI Page Builder <= 2.5.1 - Unauthenticated Local File Inclusion
github · Created 2025-04-03 23:00:09 UTC · 0 stars
CVE-2025-2294 < Wordpress Kubio[Plugin] - Local File Inclusion[LFI].
github · Created 2025-03-31 11:51:07 UTC · 0 stars
github · Created 2025-03-27 19:09:51 UTC · 1 stars
Kubio AI Page Builder <= 2.5.1 - Unauthenticated Local File Inclusion
Timeline
-
CVE ID Reserved
-
CVE Published to Public
-
Detected by Nuclei
-
Proof of Concept Exploit Available
-
Added to KEVIntel