Cyber Posture

CVE-2025-2294

Critical

Published: 28 March 2025

Published
28 March 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.5685 98.2th percentile
Risk Priority 54 60% EPSS · 20% KEV · 20% CVSS

Description

Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials.

Security Summary

CVE-2025-2294 is a Local File Inclusion vulnerability (CWE-22) in the Kubio AI Page Builder plugin for WordPress, affecting all versions up to and including 2.5.1. The flaw exists in the `thekubio_hybrid_theme_load_template` function, which enables unauthenticated attackers to include and execute arbitrary files on the server, potentially allowing the execution of PHP code within those files. Published on 2025-03-28, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its network accessibility, low attack complexity, and lack of prerequisites.

Unauthenticated attackers can exploit this vulnerability remotely without user interaction. Successful exploitation allows inclusion of arbitrary server files, leading to PHP code execution, bypassing access controls, or extracting sensitive data. It can also enable remote code execution in scenarios where attackers upload "safe" file types like images that contain embedded PHP payloads.

Advisories from Wordfence provide further details on the vulnerability at https://www.wordfence.com/threat-intel/vulnerabilities/id/2fb44c6e-520e-4a9f-9987-8b770feb710d?source=cve, while the affected code is visible in the plugin source at https://plugins.trac.wordpress.org/browser/kubio/tags/2.5.1/lib/integrations/third-party-themes/editor-hooks.php#L32.

Details

CWE(s)
CWE-22

AI Security Analysis

AI Category
Other Platforms
Risk Domain
Other ATLAS/OWASP Terms
OWASP Top 10 for LLMs 2025
None mapped
MITRE ATLAS Techniques
None mapped
Classification Reason
Kubio AI Page Builder is a WordPress plugin that incorporates AI for page building functionality, classifying it under Other Platforms as it does not fit more specific AI framework or library categories.

MITRE ATT&CK Enterprise Techniques

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1083 File and Directory Discovery Discovery
Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system.
attack.mitre.org →
T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
attack.mitre.org →
T1552.001 Credentials In Files Credential Access
Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials.
attack.mitre.org →
Why these techniques?

LFI in public-facing WordPress plugin enables unauthenticated exploitation (T1190), arbitrary file reads for discovery (T1083) and local data collection (T1005), including sensitive credentials in files (T1552.001), and PHP code execution.

References