Arbitrary File Upload Vulnerability in Kubio Plugin for WordPress
CVE-2026-5427

5.3MEDIUM

Key Information:

Vendor: WordPress
Status: Kubio Ai Page Builder
Vendor: CVE Published:; 17 April 2026

What is CVE-2026-5427?

The Kubio plugin for WordPress is exposed to an Arbitrary File Upload vulnerability caused by the absence of adequate capability checks within the kubio_rest_pre_insert_import_assets() function. This flaw allows authenticated users with Contributor-level access and higher to upload files retrieved from external URLs directly to the media library via the REST API, circumventing the standard media upload controls. This could lead to unauthorized file storage and potential further exploitation if sensitive files are uploaded.

Affected Version(s)

Kubio AI Page Builder 0 <= 2.7.2

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/kubio/trunk/li...

https://plugins.trac.wordpress.org/browser/kubio/tags/2.7...

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 17, 2026
Vulnerability Reserved
Apr 2, 2026

Credit

SeungRyeol Baek

CVE-2026-5427 Data

JSON