Cyber Resilience

CVE-2025-2294

Critical

Published: 28 March 2025

Published
28 March 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.6966 98.7th percentile
Risk Priority 61 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-2294 is a critical-severity Path Traversal (CWE-22) vulnerability in Wordpress (inferred from references). Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 1.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

This vulnerability is AI-related — categorised as Other Platforms; in the Supply Chain and Deployment risk domain.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

The Kubio AI Page Builder plugin for WordPress is vulnerable to local file inclusion in all versions through 2.5.1. The flaw exists in the kubio_hybrid_theme_load_template function and permits inclusion and execution of arbitrary server-side files, resulting in PHP code execution. The issue carries a CVSS 3.1 score of 9.8 and is tracked as CWE-22.

Unauthenticated attackers reachable over the network can exploit the vulnerability to bypass access controls, read sensitive data, or obtain code execution on the host when they can place PHP content inside files that the application will subsequently include, such as uploaded images.

Public references hosted by Wordfence and the WordPress plugin repository document the affected code path and the range of vulnerable releases. The current EPSS score of 0.6966, with a recorded peak of 0.7100, indicates sustained exploitation interest following disclosure.

EU & UK References

Vulnerability details

The Kubio AI Page Builder plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.5.1 via thekubio_hybrid_theme_load_template function. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the…

more

server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.

CWE(s)

AI Security AnalysisAI

AI Category
Other Platforms
Risk Domain
Supply Chain and Deployment
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: ai

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1083 File and Directory Discovery Discovery
Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system.
T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
T1552.001 Credentials In Files Credential Access
Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials.
Why these techniques?

LFI in public-facing WordPress plugin enables unauthenticated exploitation (T1190), arbitrary file reads for discovery (T1083) and local data collection (T1005), including sensitive credentials in files (T1552.001), and PHP code execution.

CVEs Like This One

CVE-2024-12866Shared CWE-22
CVE-2022-50992Shared CWE-22
CVE-2026-32847Shared CWE-22
CVE-2025-10488Shared CWE-22
CVE-2026-30869Shared CWE-22
CVE-2026-35615Shared CWE-22
CVE-2026-33077Shared CWE-22
CVE-2025-60946Shared CWE-22
CVE-2026-6024Shared CWE-22
CVE-2025-67160Shared CWE-22

Affected Assets

Wordpress
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires timely patching and remediation of the specific LFI flaw in the Kubio plugin's thekubio_hybrid_theme_load_template function to eliminate arbitrary file inclusion and PHP execution.

prevent

Mandates validation of untrusted inputs to template loading functions to block path traversal attacks enabling local file inclusion.

preventdetect

Deploys boundary protections like web application firewalls to monitor and block network requests exploiting the unauthenticated LFI vulnerability.

References