CVE-2025-2294 Scanner

CVE-2025-2294 Scanner - Local File Inclusion vulnerability in Kubio AI Page Builder

Short Info


Level

Critical

Single Scan

Single Scan

Can be used by

Asset Owner

Estimated Time

10 seconds

Time Interval

10 days 5 hours

Scan only one

Domain, Subdomain, IPv4

Toolbox

-

Kubio AI Page Builder is a popular WordPress plugin used for building custom pages with drag-and-drop functionality. It provides users with the ability to create complex, visually appealing web pages without writing code. The plugin allows seamless integration with various WordPress themes and plugins. Kubio's flexible design tools and AI-based features make it an attractive choice for website developers and businesses. It is particularly useful for creating e-commerce sites, blogs, and personal websites. However, like many plugins, it requires secure configurations to avoid vulnerabilities such as local file inclusion (LFI).

The vulnerability in Kubio AI Page Builder allows unauthenticated attackers to exploit the `thekubio_hybrid_theme_load_template` function, enabling them to perform Local File Inclusion (LFI) attacks. This flaw exists in versions up to and including 2.5.1. An attacker can manipulate a URL to include arbitrary files, such as system files, by exploiting the LFI vulnerability. This can lead to the execution of arbitrary PHP code on the server. The vulnerability is serious as it allows remote attackers to bypass access controls and execute arbitrary code without needing any authentication.

The issue is caused by improper handling of user-supplied input within the `thekubio_hybrid_theme_load_template` function. An attacker can craft a request with a specially constructed URL containing the path to a sensitive system file, such as `/etc/passwd`. The server processes the request and includes the file, potentially executing PHP code embedded in that file. As a result, attackers can gain access to sensitive information or even execute arbitrary commands on the server, leading to a full system compromise. The vulnerability is present in all versions of the plugin up to and including 2.5.1, and has been fixed in version 2.5.2.

If exploited, the Local File Inclusion vulnerability could allow attackers to execute arbitrary PHP code on the server. This could lead to unauthorized access to sensitive data, such as system configurations or user credentials. Furthermore, attackers could use the LFI to gain deeper access into the system, bypass access controls, or even escalate their privileges. The ability to execute arbitrary code makes this vulnerability critical for systems that are running unpatched versions of Kubio AI Page Builder. Additionally, since the attack can be performed remotely without authentication, it is highly exploitable by attackers.

REFERENCES

Get started to protecting your Free Full Security Scan