CVE-2025-2294

Kubio AI Page Builder <= 2.5.1 - Unauthenticated Local File Inclusion

Basic Information

CVE State: PUBLISHED
Reserved Date: March 13, 2025
Published Date: March 28, 2025
Last Updated: March 28, 2025
Vendor: extendthemes
Product: Kubio AI Page Builder
Description: The Kubio AI Page Builder plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.5.1 via thekubio_hybrid_theme_load_template function. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.
Tags

CVSS Scores

CVSS v3.1

9.8 - CRITICAL

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score

Score: 43.30% (Percentile: 97.37%) as of 2025-07-17

SSVC Information

Exploitation: none
Automatable: Yes
Technical Impact: total

Exploit Status

Exploited in the Wild: Yes (2025-06-24 00:00:00 UTC) Source
Proof of Concept Available: Yes (added 2025-04-26 16:59:17 UTC) Source

References

https://www.wordfence.com/threat-intel/vulnerabilities/id/2fb44c6e-520e-4a9f-9987-8b770feb710d?source=cve https://plugins.trac.wordpress.org/browser/kubio/tags/2.5.1/lib/integrations/third-party-themes/editor-hooks.php#L32

Known Exploited Vulnerability Information

Source	Added Date
The Shadowserver (via CIRCL)	2025-06-25 12:00:10 UTC

Scanner Integrations

Scanner	URL	Date Detected
Nuclei	https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2025/CVE-2025-2294.yaml	2025-04-26 00:00:00 UTC

Potential Proof of Concepts

Warning: These PoCs have not been tested and could contain malware. Use at your own risk.

romanedutov/CVE-2025-2294

Type: github • Created: 2025-04-26 16:59:17 UTC • Stars: 0

rhz0d/CVE-2025-2294

Type: github • Created: 2025-04-15 19:27:16 UTC • Stars: 0

Kubio AI Page Builder <= 2.5.1 - Unauthenticated Local File Inclusion

realcodeb0ss/CVE-2025-2294-PoC

Type: github • Created: 2025-04-03 23:00:09 UTC • Stars: 0

CVE-2025-2294 < Wordpress Kubio[Plugin] - Local File Inclusion[LFI].

mrrivaldo/CVE-2025-2294

Type: github • Created: 2025-03-31 11:51:07 UTC • Stars: 0

Nxploited/CVE-2025-2294

Type: github • Created: 2025-03-27 19:09:51 UTC • Stars: 1

Kubio AI Page Builder <= 2.5.1 - Unauthenticated Local File Inclusion

Timeline

CVE ID Reserved

March 13, 2025
CVE Published to Public

March 28, 2025
Detected by Nuclei

April 26, 2025
Proof of Concept Exploit Available

April 26, 2025
Added to KEVIntel

June 25, 2025