Description
The CubeWP – All-in-One Dynamic Content Framework plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.1.23. This is due to the plugin allowing a user to update arbitrary user meta through the update_user_meta() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to elevate their privileges to that of an administrator.
Published: 2025-06-11
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation to Administrator
Action: Immediate Patch
AI Analysis

Impact

The CubeWP – All-in-One Dynamic Content Framework plugin for WordPress contains a flaw that lets an authenticated user alter any user meta data via the update_user_meta() function. This flaw enables a malicious account with basic Subscriber or higher privileges to elevate its role to Administrator, effectively granting full control over the WordPress site. The impact is that attackers could gain complete administrative access, read or modify site content, install additional plugins, or compromise the integrity and confidentiality of site data.

Affected Systems

The vulnerability affects the CubeWP Framework plugin for WordPress, versions up to and including 1.1.23. Users running any of these versions should verify the installed version and consider an upgrade.

Risk and Exploitability

The flaw is a high‑severity issue with a CVSS score of 8.8. The EPSS score of less than 1% indicates a low probability of exploitation at present, and the vulnerability is not listed in CISA’s KEV catalog, suggesting no confirmed public exploitation. However, the attack requires an authenticated user with Subscriber or higher access and the ability to send a request to the plugin’s REST API endpoint that calls update_user_meta. The attack vector is inferred to be a REST API call, as the description indicates the flaw occurs in the plugin’s API handling code.

Generated by OpenCVE AI on April 21, 2026 at 20:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the CubeWP Framework plugin to the latest version (above 1.1.23).
  • Restrict or revoke Subscriber+ roles that do not require elevated privileges, ensuring only trusted users have such rights.
  • Disable or restrict the REST API endpoint that performs update_user_meta operations, or configure the plugin to enforce proper authorization checks before allowing meta updates.

Generated by OpenCVE AI on April 21, 2026 at 20:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-18093 The CubeWP – All-in-One Dynamic Content Framework plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.1.23. This is due to the plugin allowing a user to update arbitrary user meta through the update_user_meta() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to elevate their privileges to that of an administrator.
History

Sun, 13 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00041}

 epss

{'score': 0.00048}

Thu, 10 Jul 2025 00:45:00 +0000

Type Values Removed Values Added
First Time appeared Cubewp
Cubewp cubewp
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:a:cubewp:cubewp:*:*:*:*:*:wordpress:*:*
Vendors & Products Cubewp
Cubewp cubewp

Wed, 11 Jun 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 11 Jun 2025 09:45:00 +0000

Type Values Removed Values Added
Description The CubeWP – All-in-One Dynamic Content Framework plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.1.23. This is due to the plugin allowing a user to update arbitrary user meta through the update_user_meta() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to elevate their privileges to that of an administrator.
Title CubeWP – All-in-One Dynamic Content Framework <= 1.1.23 - Authenticated (Subscriber+) Privilege Escalation
Weaknesses CWE-269
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Cubewp Cubewp
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:49:02.340Z

Reserved: 2025-05-05T13:45:03.763Z

Link: CVE-2025-4315

cve-icon Vulnrichment

Updated: 2025-06-11T13:13:41.417Z

cve-icon NVD

Status : Analyzed

Published: 2025-06-11T10:15:21.733

Modified: 2025-07-10T00:28:39.840

Link: CVE-2025-4315

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T20:30:27Z

Weaknesses