CVE-2025-2294: 
WordPress vulnerability analysis and mitigation

The Kubio AI Page Builder plugin for WordPress contains a Local File Inclusion (LFI) vulnerability, tracked as CVE-2025-2294, affecting all versions up to and including 2.5.1. The vulnerability was discovered by security researcher mikemyers and affects over 90,000 active WordPress installations (Security Online, NVD).

The vulnerability exists in the kubiohybridthemeloadtemplate function, allowing unauthenticated attackers to include and execute arbitrary files on the server. The severity is rated as Critical with a CVSS v3.1 score of 9.8 (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). The vulnerability is classified as CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) (NVD, Security Online).

The vulnerability enables attackers to bypass access controls, obtain sensitive data, and achieve code execution in cases where images and other "safe" file types can be uploaded and included. The widespread installation base of over 90,000 active sites amplifies the potential impact of this vulnerability (Security Online).

The vulnerability has been patched in version 2.5.2 of the Kubio AI Page Builder plugin. Users are strongly advised to update to version 2.5.2 or later immediately to protect their websites from potential attacks (Security Online).