do son 
A severe security vulnerability has been identified in the Kubio AI Page Builder plugin for WordPress, posing a significant risk to websites using this popular tool.
What is Kubio?
Kubio is a WordPress website builder known for its innovative block-based approach, designed to extend the functionality of the block editor. It provides users with a range of new blocks and extensive styling options, enabling the creation of websites quickly and easily, without requiring coding knowledge. The plugin boasts over 90,000 active installations, highlighting its widespread use within the WordPress community.
CVE-2025-2294: Unauthenticated Local File Inclusion
The vulnerability, tracked as CVE-2025-2294, is a Local File Inclusion (LFI) flaw present in the Kubio AI Page Builder plugin. This flaw affects all versions of the plugin up to and including 2.5.1.
Security researcher mikemyers has been credited with discovering and reporting this flaw.
Technical Details and Impact
The vulnerability resides within the kubio_hybrid_theme_load_template function. Exploitation of this LFI vulnerability allows unauthenticated attackers to include and execute arbitrary files on the server. This capability enables attackers to execute any PHP code contained within those files.
The consequences of this vulnerability are severe. Successful exploitation can lead to:
- Bypassing access controls: Attackers can circumvent security measures designed to restrict access to certain files and directories.
- Obtaining sensitive data: Attackers can gain access to confidential information stored on the server.
- Achieving code execution: In scenarios where attackers can upload seemingly harmless files, such as images, they can then include and execute them to run malicious PHP code.
Severity
The vulnerability has been assigned a critical CVSS score of 9.8, emphasizing its high severity and the potential for widespread damage.
Mitigation
The vulnerability has been addressed in the patched version of the plugin, version 2.5.2. Users of the Kubio AI Page Builder plugin are strongly advised to update to version 2.5.2 or later immediately to protect their websites from potential attacks.
