CubeWP – All-in-One Dynamic Content Framework < 1.1.28 – Unauthenticated Information Exposure | CVE 2025-12129 | Plugin Vulnerabilities

Description

The CubeWP – All-in-One Dynamic Content Framework plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.1.27 via the /cubewp-posts/v1/query-new and /cubewp-posts/v1/query REST API endpoints due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft posts that they should not have access to.

Affects Plugins

cubewp-framework

Fixed in 1.1.28

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/2006dc4c-ec1a-45ab-94a3-1f86d80e70ca

Classification

Type

SENSITIVE DATA DISCLOSURE

OWASP top 10

A3: Sensitive Data Exposure

CWE

CVSS

Miscellaneous

Original Researcher

Jonas Benjamin Friedli

Verified

No

WPVDB ID

30dc7125-741c-4fd7-9965-ee7eb87552a5

Timeline

Publicly Published

2026-01-16 (about 3 months ago)

Added

2026-01-16 (about 3 months ago)

Last Updated

2026-01-17 (about 3 months ago)

Other

Published

Title

Published

2025-02-27

Title

Order Attachments for WooCommerce <= 2.5.1 - Unauthenticated Sensitive Information Exposure Through Unprotected Directory

Published

2023-10-02

Title

ProfilePress < 4.13.3 - Information Disclosure via Debug Log

Published

2025-11-04

Title

The Events Calendar < 6.15.10 - Unauthenticated Sensitive Information Exposure

Published

2025-12-21

Title

Contact Form 7 Extension For Mailchimp < 0.9.69 - Authenticated (Contributor+) Information Exposure

Published

2025-04-21

Title

Memberpress < 1.12.0 - Unauthenticated Content Restriction Bypass to Sensitive Information Exposure