Local File Inclusion Vulnerability in Kubio AI Page Builder for WordPress
CVE-2025-2294

9.8CRITICAL

Key Information:

Vendor
Extendthemes
Status
Kubio Ai Page Builder
Vendor
CVE Published:
28 March 2025

Badges

πŸ”₯ Trending nowπŸ“ˆ TrendedπŸ“ˆ Score: 2,060πŸ‘Ύ Exploit Exists🟣 EPSS 32%πŸ“° News Worthy

What is CVE-2025-2294?

CVE-2025-2294 is a critical vulnerability identified in the Kubio AI Page Builder plugin for WordPress, developed by Extendthemes. This vulnerability allows unauthenticated attackers to execute arbitrary files on the server due to a Local File Inclusion (LFI) flaw present in all versions up to 2.5.1. The implications of this vulnerability are particularly concerning, as it could enable attackers to bypass access controls, gain unauthorized access to sensitive information, and execute potentially malicious PHP code. Organizations utilizing this plugin may face significant risk to their data integrity and overall system security if they do not address the vulnerability promptly.

Technical Details

The vulnerability arises from improper handling of file inclusions within the kubio_hybrid_theme_load_template function. It allows unauthenticated attackers to embed and execute arbitrary files residing on the server. Because the flaw affects all versions of the plugin up to and including 2.5.1, sites that have not updated are particularly susceptible to exploitation. Attackers can take advantage of this vulnerability to include files that they control, leading to serious security risks, including remote code execution.

Potential Impact of CVE-2025-2294

  1. Unauthorized Access to Sensitive Data: Exploiting this vulnerability could allow attackers to access files on the server that may contain sensitive user data, configuration files, or other critical information, potentially leading to data leaks and breaches.

  2. Execution of Malicious Code: The ability to include arbitrary files means attackers can execute malicious PHP scripts on the server. This can lead to full system takeover, where an attacker could manipulate the website, install malware, or launch further attacks on other associated systems.

  3. Bypassing Security Controls: The LFI vulnerability enables attackers to bypass existing security measures and access control mechanisms. This undermines the overall security posture of affected WordPress installations, making them prime targets for further exploitation or recurring attacks.

Affected Version(s)

Kubio AI Page Builder * <= 2.5.1

News Articles

favicon imageTenable

CVE-2025-2294

The Kubio AI Page Builder plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.5.1 via thekubio_hybrid_theme_load_template function. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the e...

2 days ago

favicon imageVulDB

CVE-2025-2294 ExtendThemes Kubio AI Page Builder Plugin file inclusion

A vulnerability was found in ExtendThemes Kubio AI Page Builder Plugin up to 2.5.1 on WordPress and classified as critical. The identification of this vulnerability is CVE-2025-2294.

1 week ago

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...
https://plugins.trac.wordpress.org/browser/kubio/tags/2.5...

EPSS Score

32% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • πŸ“ˆ

    Vulnerability started trending

  • Vulnerability published

  • πŸ‘Ύ

    Exploit known to exist

  • πŸ“°

    First article discovered by VulDB

  • Vulnerability Reserved

Credit

Michael Mazzolini
.