CVE-2025-2294 Scanner

Kubio AI Page Builder is a popular WordPress plugin used for building custom pages with drag-and-drop functionality. It provides users with the ability to create complex, visually appealing web pages without writing code. The plugin allows seamless integration with various WordPress themes and plugins. Kubio's flexible design tools and AI-based features make it an attractive choice for website developers and businesses. It is particularly useful for creating e-commerce sites, blogs, and personal websites. However, like many plugins, it requires secure configurations to avoid vulnerabilities such as local file inclusion (LFI).

The vulnerability in Kubio AI Page Builder allows unauthenticated attackers to exploit the `thekubio_hybrid_theme_load_template` function, enabling them to perform Local File Inclusion (LFI) attacks. This flaw exists in versions up to and including 2.5.1. An attacker can manipulate a URL to include arbitrary files, such as system files, by exploiting the LFI vulnerability. This can lead to the execution of arbitrary PHP code on the server. The vulnerability is serious as it allows remote attackers to bypass access controls and execute arbitrary code without needing any authentication.

The issue is caused by improper handling of user-supplied input within the `thekubio_hybrid_theme_load_template` function. An attacker can craft a request with a specially constructed URL containing the path to a sensitive system file, such as `/etc/passwd`. The server processes the request and includes the file, potentially executing PHP code embedded in that file. As a result, attackers can gain access to sensitive information or even execute arbitrary commands on the server, leading to a full system compromise. The vulnerability is present in all versions of the plugin up to and including 2.5.1, and has been fixed in version 2.5.2.

If exploited, the Local File Inclusion vulnerability could allow attackers to execute arbitrary PHP code on the server. This could lead to unauthorized access to sensitive data, such as system configurations or user credentials. Furthermore, attackers could use the LFI to gain deeper access into the system, bypass access controls, or even escalate their privileges. The ability to execute arbitrary code makes this vulnerability critical for systems that are running unpatched versions of Kubio AI Page Builder. Additionally, since the attack can be performed remotely without authentication, it is highly exploitable by attackers.

REFERENCES

• https://github.com/Nxploited/CVE-2025-2294
• https://plugins.trac.wordpress.org/browser/kubio/tags/2.5.1/lib/integrations/third-party-themes/editor-hooks.php#L32
• https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/kubio/kubio-ai-page-builder-251-unauthenticated-local-file-inclusion