Kubio AI Page Builder <= 2.7.2 - Missing Authorization to Authenticated (Contributor+) Limited File Upload via Kubio Block Attributes
Summary
| CVE | CVE-2026-5427 |
|---|---|
| State | PUBLISHED |
| Assigner | Wordfence |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-04-17 05:16:18 UTC |
| Updated | 2026-04-17 05:16:18 UTC |
| Description | The Kubio plugin for WordPress is vulnerable to Arbitrary File Upload in versions up to and including 2.7.2. This is due to insufficient capability checks in the kubio_rest_pre_insert_import_assets() function, which is hooked to the rest_pre_insert_{post_type} filter for posts, pages, templates, and template parts. When a post is created or updated via the REST API, Kubio parses block attributes looking for URLs in the 'kubio' attribute namespace and automatically imports them via importRemoteFile() without verifying the user has the upload_files capability. This makes it possible for authenticated attackers with Contributor-level access and above to bypass WordPress's normal media upload restrictions and upload files fetched from external URLs to the media library, creating attachment posts in the database. |
Risk And Classification
Primary CVSS: v3.1 5.3 MEDIUM from [email protected]
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
EPSS: 0.000120000 probability, percentile 0.017800000 (date 2026-04-18)
Problem Types: CWE-862 | CWE-862 CWE-862 Missing Authorization
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 3.1 | [email protected] | Primary | 5.3 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N |
| 3.1 | CNA | DECLARED | 5.3 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N |
CVSS v3.1 Breakdown
Attack Vector
NetworkAttack Complexity
LowPrivileges Required
NoneUser Interaction
NoneScope
UnchangedConfidentiality
NoneIntegrity
LowAvailability
NoneCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Extendthemes | Kubio AI Page Builder | affected 2.7.2 semver | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| plugins.trac.wordpress.org/browser/kubio/trunk/lib/src/Core/Importer.php | [email protected] | plugins.trac.wordpress.org | |
| plugins.trac.wordpress.org/browser/kubio/tags/2.7.1/lib/importer/importer-filters/kubio-... | [email protected] | plugins.trac.wordpress.org | |
| plugins.trac.wordpress.org/browser/kubio/trunk/lib/importer/importer-filters/kubio-block... | [email protected] | plugins.trac.wordpress.org | |
| plugins.trac.wordpress.org/browser/kubio/tags/2.7.1/lib/src/Core/Importer.php | [email protected] | plugins.trac.wordpress.org | |
| plugins.trac.wordpress.org/changeset/3506647/kubio/trunk/lib/src/Core/Importer.php | [email protected] | plugins.trac.wordpress.org | |
| www.wordfence.com/threat-intel/vulnerabilities/id/d8096f3c-e1a9-424f-af10-3e802... | [email protected] | www.wordfence.com | |
| plugins.trac.wordpress.org/browser/kubio/tags/2.7.1/lib/filters/post-insert.php | [email protected] | plugins.trac.wordpress.org | |
| plugins.trac.wordpress.org/browser/kubio/trunk/lib/filters/post-insert.php | [email protected] | plugins.trac.wordpress.org | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
CNA: SeungRyeol Baek (en)
Additional Advisory Data
| Source | Time | Event |
|---|---|---|
| CNA | 2026-04-02T14:40:37.000Z | Vendor Notified |
| CNA | 2026-04-16T15:06:55.000Z | Disclosed |
There are currently no legacy QID mappings associated with this CVE.