CVE-2025-2294
Published: 28 March 2025
Summary
CVE-2025-2294 is a critical-severity Path Traversal (CWE-22) vulnerability in Wordpress (inferred from references). Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 1.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
This vulnerability is AI-related — categorised as Other Platforms; in the Supply Chain and Deployment risk domain.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
The Kubio AI Page Builder plugin for WordPress is vulnerable to local file inclusion in all versions through 2.5.1. The flaw exists in the kubio_hybrid_theme_load_template function and permits inclusion and execution of arbitrary server-side files, resulting in PHP code execution. The issue carries a CVSS 3.1 score of 9.8 and is tracked as CWE-22.
Unauthenticated attackers reachable over the network can exploit the vulnerability to bypass access controls, read sensitive data, or obtain code execution on the host when they can place PHP content inside files that the application will subsequently include, such as uploaded images.
Public references hosted by Wordfence and the WordPress plugin repository document the affected code path and the range of vulnerable releases. The current EPSS score of 0.6966, with a recorded peak of 0.7100, indicates sustained exploitation interest following disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-15115
Vulnerability details
The Kubio AI Page Builder plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.5.1 via thekubio_hybrid_theme_load_template function. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the…
more
server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.
- CWE(s)
AI Security AnalysisAI
- AI Category
- Other Platforms
- Risk Domain
- Supply Chain and Deployment
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: ai
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
LFI in public-facing WordPress plugin enables unauthenticated exploitation (T1190), arbitrary file reads for discovery (T1083) and local data collection (T1005), including sensitive credentials in files (T1552.001), and PHP code execution.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires timely patching and remediation of the specific LFI flaw in the Kubio plugin's thekubio_hybrid_theme_load_template function to eliminate arbitrary file inclusion and PHP execution.
Mandates validation of untrusted inputs to template loading functions to block path traversal attacks enabling local file inclusion.
Deploys boundary protections like web application firewalls to monitor and block network requests exploiting the unauthenticated LFI vulnerability.