CVE-2025-2294

Kubio AI Page Builder <= 2.5.1 - Unauthenticated Local File Inclusion

Basic Information

CVE State
PUBLISHED
Reserved Date
March 13, 2025
Published Date
March 28, 2025
Last Updated
March 28, 2025
Vendor
extendthemes
Product
Kubio AI Page Builder
Description
The Kubio AI Page Builder plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.5.1 via thekubio_hybrid_theme_load_template function. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.
Tags
wordpress php nuclei_scanner

CVSS Scores

CVSS v3.1

9.8 - CRITICAL

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score

Score
43.30% (Percentile: 97.37%) as of 2025-07-17

SSVC Information

Exploitation
none
Automatable
Yes
Technical Impact
total

Exploit Status

Exploited in the Wild
Yes (2025-06-24 00:00:00 UTC) Source
Proof of Concept Available
Yes (added 2025-04-26 16:59:17 UTC) Source

Known Exploited Vulnerability Information

Source Added Date
The Shadowserver (via CIRCL) 2025-06-25 12:00:10 UTC

Scanner Integrations

Potential Proof of Concepts

Warning: These PoCs have not been tested and could contain malware. Use at your own risk.

romanedutov/CVE-2025-2294

Type: github • Created: 2025-04-26 16:59:17 UTC • Stars: 0

rhz0d/CVE-2025-2294

Type: github • Created: 2025-04-15 19:27:16 UTC • Stars: 0

Kubio AI Page Builder <= 2.5.1 - Unauthenticated Local File Inclusion

realcodeb0ss/CVE-2025-2294-PoC

Type: github • Created: 2025-04-03 23:00:09 UTC • Stars: 0

CVE-2025-2294 < Wordpress Kubio[Plugin] - Local File Inclusion[LFI].

mrrivaldo/CVE-2025-2294

Type: github • Created: 2025-03-31 11:51:07 UTC • Stars: 0

Nxploited/CVE-2025-2294

Type: github • Created: 2025-03-27 19:09:51 UTC • Stars: 1

Kubio AI Page Builder <= 2.5.1 - Unauthenticated Local File Inclusion

Timeline

  • CVE ID Reserved

  • CVE Published to Public

  • Detected by Nuclei

  • Proof of Concept Exploit Available

  • Added to KEVIntel