# Kubio AI 页面构建器 <= 2.5.1 - 未授权本地文件包含
## 概述
Kubio AI Page Builder 插件存在局部文件包含(LFI)漏洞,这允许未认证的攻击者在服务器上包含和执行任意文件,从而可能导致获取敏感数据或实现代码执行。
## 影响版本
所有版本,包括 2.5.1 及之前的版本。
## 细节
漏洞源于 `thekubio_hybrid_theme_load_template` 函数,未认证的攻击者可以利用此漏洞包含并执行任意文件,进而执行文件中的 PHP 代码。
## 影响
攻击者可以利用此漏洞绕过访问控制,获取敏感数据或实现代码执行。特别是在上传和包含图片或其他被认为“安全”的文件类型情况下,风险更为严重。
| # | POC 描述 | 源链接 | 神龙链接 |
|---|---|---|---|
| 1 | Kubio AI Page Builder <= 2.5.1 - Unauthenticated Local File Inclusion | https://github.com/Nxploited/CVE-2025-2294 | POC详情 |
| 2 | None | https://github.com/mrrivaldo/CVE-2025-2294 | POC详情 |
| 3 | CVE-2025-2294 < Wordpress Kubio[Plugin] - Local File Inclusion[LFI]. | https://github.com/realcodeb0ss/CVE-2025-2294-PoC | POC详情 |
| 4 | The Kubio AI Page Builder plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.5.1 via thekubio_hybrid_theme_load_template function. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included. | https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2025/CVE-2025-2294.yaml | POC详情 |
| 5 | Kubio AI Page Builder <= 2.5.1 - Unauthenticated Local File Inclusion | https://github.com/rhz0d/CVE-2025-2294 | POC详情 |
| 6 | None | https://github.com/romanedutov/CVE-2025-2294 | POC详情 |
| 7 | Kubio AI Page Builder <= 2.5.1 - Unauthenticated Local File Inclusion | https://github.com/Yucaerin/CVE-2025-2294 | POC详情 |
| 8 | None | https://github.com/0xWhoami35/CVE-2025-2294 | POC详情 |
| 9 | None | https://github.com/r0otk3r/CVE-2025-2294 | POC详情 |
暂无评论