Description
The Kubio plugin for WordPress is vulnerable to Arbitrary File Upload in versions up to and including 2.7.2. This is due to insufficient capability checks in the kubio_rest_pre_insert_import_assets() function, which is hooked to the rest_pre_insert_{post_type} filter for posts, pages, templates, and template parts. When a post is created or updated via the REST API, Kubio parses block attributes looking for URLs in the 'kubio' attribute namespace and automatically imports them via importRemoteFile() without verifying the user has the upload_files capability. This makes it possible for authenticated attackers with Contributor-level access and above to bypass WordPress's normal media upload restrictions and upload files fetched from external URLs to the media library, creating attachment posts in the database.
Published: 2026-04-17
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary File Upload
Action: Immediate Patch
AI Analysis

Impact

The Kubio AI Page Builder plugin for WordPress contains an authorization flaw in the kubio_rest_pre_insert_import_assets() function, which is triggered on the REST API’s post insertion hooks. When a post or page is created via the REST API, the plugin scans the supplied block attributes for URLs in the 'kubio' namespace and automatically downloads and imports those resources without checking the user’s upload_files capability. An authenticated user with Contributor level or higher can therefore upload arbitrary files from external URLs to the media library, resulting in unintended attachment posts and possible execution of malicious content.

Affected Systems

The affected product is the Kubio AI Page Builder plugin (developed by extendthemes) for WordPress. Versions 2.7.2 and older are vulnerable; the issue persists in all releases up to and including 2.7.2. No other vendors or product lines are listed as impacted in the CVE. WordPress installations that load this plugin and expose the REST API for post-type content are at risk.

Risk and Exploitability

The vulnerability carries a CVSS base score of 5.3, placing it in the Medium severity range. EPSS data is not available, and the vulnerability is not listed in the CISA KEV catalogue, suggesting no confirmed large‑scale exploitation yet. Nevertheless, an attacker who manages to authenticate as a Contributor or higher and grants themselves the ability to hit the REST API can immediately bypass normal media‑upload controls. The lack of an authorization check allows foreign files to be stored and potentially executed, which could lead to arbitrary code execution or defacement if the uploaded asset is malicious. The attack path requires only an existing authenticated session and the ability to submit a REST request, making it relatively straightforward for users with approved roles.

Generated by OpenCVE AI on April 17, 2026 at 05:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Kubio AI Page Builder update (version 2.7.3 or later, if available) to remove the improper capability check.
  • Should an update not be possible, limit Contributor and lower role access to the REST API endpoints used for post creation or modification, or revoke the 'upload_files' capability for those roles to prevent remote file imports.
  • Review the media library for unexpected attachments and remove any that appear to have been uploaded via unauthorized remote sourcing. As an extra precaution, enforce strict MIME type validation and disable external URL fetching if the platform supports it.

Generated by OpenCVE AI on April 17, 2026 at 05:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 17 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 17 Apr 2026 05:30:00 +0000

Type Values Removed Values Added
First Time appeared Extendthemes
Extendthemes kubio Ai Page Builder
Wordpress
Wordpress wordpress
Vendors & Products Extendthemes
Extendthemes kubio Ai Page Builder
Wordpress
Wordpress wordpress

Fri, 17 Apr 2026 04:30:00 +0000

Type Values Removed Values Added
Description The Kubio plugin for WordPress is vulnerable to Arbitrary File Upload in versions up to and including 2.7.2. This is due to insufficient capability checks in the kubio_rest_pre_insert_import_assets() function, which is hooked to the rest_pre_insert_{post_type} filter for posts, pages, templates, and template parts. When a post is created or updated via the REST API, Kubio parses block attributes looking for URLs in the 'kubio' attribute namespace and automatically imports them via importRemoteFile() without verifying the user has the upload_files capability. This makes it possible for authenticated attackers with Contributor-level access and above to bypass WordPress's normal media upload restrictions and upload files fetched from external URLs to the media library, creating attachment posts in the database.
Title Kubio AI Page Builder <= 2.7.2 - Missing Authorization to Authenticated (Contributor+) Limited File Upload via Kubio Block Attributes
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Extendthemes Kubio Ai Page Builder
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-17T18:48:57.774Z

Reserved: 2026-04-02T14:24:35.903Z

Link: CVE-2026-5427

cve-icon Vulnrichment

Updated: 2026-04-17T18:48:53.490Z

cve-icon NVD

Status : Received

Published: 2026-04-17T05:16:18.973

Modified: 2026-04-17T05:16:18.973

Link: CVE-2026-5427

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T06:00:09Z

Weaknesses