Kubio AI Page Builder < 2.6.5 – Missing Authorization to Authenticated (Subscriber+) Limited Plugin Installation | CVE 2025-8487 | Plugin Vulnerabilities

Description

The Kubio AI Page Builder plugin for WordPress is vulnerable to unauthorized plugin installation due to a missing capability check on the kubio-image-hub-install-plugin AJAX action in all versions up to, and including, 2.6.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to install the Image Hub plugin.

Affects Plugins

Fixed in 2.6.5

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/1f528c89-2b8c-4750-b9eb-47ebd8c1630e

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

wesley (wcraft)

Verified

No

WPVDB ID

4974f435-172c-429f-9a9b-45830965b0fa

Timeline

Publicly Published

2025-09-18 (about 9 months ago)

Added

2025-09-18 (about 9 months ago)

Last Updated

2025-09-19 (about 9 months ago)

Other

Published

Title

Published

2025-01-08

Title

SKT Page Builder < 4.8 - Authenticated (Subscriber+) Arbitrary File Upload

Published

2024-06-20

Title

Ultimate Custom Add To Cart Button <= 1.222.17 - Missing Authorization

Published

2025-07-19

Title

Breeze Checkout <= 1.4.0 - Missing Authorization

Published

2025-06-05

Title

診断ジェネレータ作成プラグイン <= 1.4.16 - Missing Authorization

Published

2024-08-26

Title

Envira Photo Gallery < 1.8.15 - Missing Authorization