Platform
wordpress
Component
kubio
Fixed in
2.7.3
2.7.3
CVE-2026-5427 represents an Unrestricted File Upload vulnerability affecting the Kubio AI Page Builder plugin for WordPress. This flaw allows unauthorized users to upload files to the server, potentially enabling malicious code execution and compromising the website's integrity. The vulnerability impacts versions of the plugin up to and including 2.7.2. A patch is available in version 2.7.3.
CVE-2026-5427 in the Kubio WordPress plugin allows for Arbitrary File Upload. This is due to insufficient capability checks within the kubiorestpreinsertimportassets() function, which is hooked to the restpreinsert{post_type} filter for posts, pages, templates, and template parts. An attacker could exploit this vulnerability to upload malicious files to the server, potentially compromising the website's integrity and security. File uploads could lead to remote code execution, modification of critical system files, or unauthorized access to sensitive data. The impact severity depends on the user's permissions performing the action and the web server configuration.
An attacker could exploit this vulnerability by sending a POST request to the WordPress REST API, specifically to endpoints related to creating or updating posts, pages, templates, or template parts. The POST request would include a block with the 'kubio' attribute containing a malicious URL. Kubio, attempting to import the resource from that URL, would allow an arbitrary file to be uploaded to the server. The URL could point to a file on a server controlled by the attacker, or even a locally encoded file as base64.
Exploit Status
EPSS
0.02% (4% percentile)
CISA SSVC
CVSS Vector
The solution to mitigate this vulnerability is to update the Kubio plugin to version 2.7.3 or higher. This version includes the necessary fixes to properly validate permissions and prevent unauthorized file uploads. It is recommended to perform a full backup of the website before applying the update. Additionally, review WordPress user permissions and limit administrative access to only those who require it. Implementing a Web Application Firewall (WAF) can provide an additional layer of protection against file upload attacks.
Update to version 2.7.3, or a newer patched version
Vulnerability analysis and critical alerts directly to your inbox.
The WordPress REST API is an interface that allows interaction with the website using standard HTTP methods like GET, POST, PUT, and DELETE. It allows programmatic creation, reading, updating, and deleting WordPress content.
You can verify the version of Kubio by accessing the WordPress admin dashboard, going to 'Plugins,' and looking for the Kubio plugin in the list.
If you cannot update immediately, consider limiting access to the WordPress REST API and monitoring server logs for suspicious activity.
While this vulnerability is specific to Kubio, it's important to review the security of all installed plugins on your website and keep them updated.
A WAF is a security tool that filters HTTP traffic between the website and users, blocking malicious attacks like unauthorized file uploads.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.