Kubio AI Page Builder <= 2.5.1 - Unauthenticated Local File Inclusion# CVE-2025-4403 Exploit
### Details
- **Published**: March 27, 2025
- **Updated**: March 28, 2025
- **Severity**: Critical (CVSS Score: 9.8)
- **CWE**: CWE-22: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
- **Affected Versions**: All versions from n/a through 2.5.1
- **Researcher**: https://www.wordfence.com/threat-intel/vulnerabilities/researchers/michael-mazzolini
### CVSS Vector
- **CVSS Version**: 9.8
- **Vector String**: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
## Description
The Kubio AI Page Builder plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.5.1 via thekubio_hybrid_theme_load_template function. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.
### Usage
```sh
usage: python3 CVE-2025-2294.py
```
## Script Details
### Requirements
- Python 3.x
- `requests` library
### Installation
1. Clone the repository:
```sh
git clone https://github.com/Yucaerin/CVE-2025-2294.git
cd CVE-2025-2294
```
2. Install the required Python packages:
```sh
pip install requests
```
### NOTE
the exploit can be chained to RCE!
## Disclaimer
This script is intended for educational purposes only. Use it responsibly and only on systems for which you have explicit permission. Unauthorized use of this script is illegal and unethical.
Log in to view the POC file snapshot cached by Shenlong Bot
Log in to view