Kubio AI Page Builder Missing Authorization Vulnerability in WordPress
Vulnerability
A vulnerability exists in the Kubio AI Page Builder plugin for WordPress, allowing unauthorized plugin installation. This issue arises from a lack of capability checks on the 'kubio-image-hub-install-plugin' AJAX action, affecting all versions up to and including 2.6.3. As a result, authenticated attackers with Subscriber-level access or higher can install the Image Hub plugin.
Impact
Exploitation of this vulnerability allows for unauthorized installation of plugins, which could lead to further security risks or functionality changes on the affected WordPress site.
Reproduction
To reproduce this vulnerability, an authenticated user with Subscriber-level access or higher can send a request to the 'kubio-image-hub-install-plugin' AJAX action. The absence of a proper capability check allows the installation of the Image Hub plugin without the necessary permissions.
Remediation
Users are advised to update the Kubio AI Page Builder plugin to version 2.6.5 or a newer patched version.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.