A critical vulnerability (CVE-2025-2294) has been identified in the Kubio AI Page Builder plugin for WordPress, affecting all versions up to and including 2.5.1. The flaw, a Local File Inclusion (LFI) vulnerability, allows unauthenticated attackers to include and execute arbitrary files on the server, potentially leading to remote code execution (RCE). With a CVSS score of 9.8, this issue demands immediate attention from administrators and security teams.
**TL;DR**
– **CVE**: CVE-2025-2294
– **Affected**: Kubio AI Page Builder ≤ 2.5.1
– **Risk**: Critical (CVSS 9.8)
– **Exploit**: Unauthenticated LFI via `kubio_hybrid_theme_load_template`
– **Impact**: Arbitrary PHP execution, data theft, access bypass
– **Status**: Actively exploited (PoC available^1)
– **Action**: Update or disable the plugin immediately.
### Vulnerability Details
The vulnerability stems from improper file path handling in the `kubio_hybrid_theme_load_template` function. Attackers can manipulate parameters to include local files (e.g., `/etc/passwd`) or uploaded “safe” files (e.g., images containing PHP code). This bypasses authentication and can lead to full server compromise.
A proof-of-concept (PoC) exploit is publicly available on GitHub^1, confirming active exploitation. The flaw is particularly dangerous in shared hosting environments, where cross-site contamination is possible.
### Relevance to Security Teams
– **Red Teams**: Test for LFI weaknesses in staging environments using controlled payloads.
– **Blue Teams**: Monitor logs for unusual file access patterns (e.g., `wp-content/plugins/kubio/*`).
– **SOC Analysts**: Prioritize alerts involving `kubio_hybrid_theme_load_template` in HTTP requests.
### Mitigation Steps
1. **Update**: Upgrade to Kubio AI Page Builder 2.5.2 or later (if patched).
2. **Virtual Patching**: Use WAF rules to block malicious requests (e.g., Wordfence^2).
3. **Disable**: Remove the plugin if no patch is available.
4. **Audit**: Check server logs for exploitation attempts (e.g., `include()` calls to unexpected paths).
### Broader WordPress Threat Landscape
February 2025 saw 335 WordPress vulnerabilities, with 177 unpatched^3. High-risk plugins like Elementor and Ultimate Member also faced critical flaws, underscoring the need for rigorous patch management.
### Conclusion
CVE-2025-2294 is a severe threat requiring immediate action. Organizations using Kubio AI Page Builder should prioritize mitigation to prevent compromise. Continuous monitoring and proactive patch management remain essential in defending against such vulnerabilities.
### References
[^1]: “[CVE-2025-2294 PoC on GitHub](https://poc-in-github.motikan2010.net/)”. [Accessed March 28, 2025].
[^2]: “[Wordfence Advisory](https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/kubio/kubio-ai-page-builder-251-unauthenticated-local-file-inclusion)”. [Accessed March 28, 2025].
[^3]: “[SolidWP WordPress Vulnerability Report](https://solidwp.com/blog/wordpress-vulnerability-report-february-26-2025/)”. [Accessed March 28, 2025].
