Kubio AI Page Builder Local File Inclusion Vulnerability

A local file inclusion vulnerability has been identified in the Kubio AI Page Builder plugin for WordPress, affecting all versions up to and including 2.5.1. The vulnerability arises in the 'kubio_hybrid_theme_load_template' function, allowing unauthenticated attackers to include and execute arbitrary files on the server. This exploitation could lead to the execution of PHP code contained in the included files, potentially bypassing access controls, accessing sensitive data, or executing code in scenarios where images and other 'safe' file types can be uploaded and included.

Impact

Exploitation of this vulnerability could result in unauthorized file inclusion, allowing for the execution of arbitrary PHP code on the server. This could be used to bypass access controls, access sensitive information, or execute malicious code, especially in cases where uploaded files can be included and executed.

Reproduction

To reproduce this vulnerability, send a request to a WordPress site with the Kubio AI Page Builder plugin installed, using the 'template_include' filter to pass a template ID that corresponds to a file that can be included. The 'kubio_hybrid_theme_load_template' function will then process the request, leading to the inclusion and execution of the specified file.