CVE-2025-8487 MEDIUM

CVE-2025-8487: Kubio AI Page Builder <= 2.6.3 - Missing Authorization to Authenticated (Subscriber+) Limited Plugin Installation

Vendor Extendthemes
Product Kubio AI Page Builder
Weakness CWE-862 · Missing authorization
Published September 19, 2025
Last update April 8, 2026

CVSS base score

5.4/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L

What the vulnerability does

01Description

The Kubio AI Page Builder plugin for WordPress is vulnerable to unauthorized plugin installation due to a missing capability check on the kubio-image-hub-install-plugin AJAX action in all versions up to, and including, 2.6.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to install the Image Hub plugin.

Explanation of Vulnerability in Simple Terms

02Summary

Kubio AI Page Builder versions up to 2.6.3 lack proper authorization checks, allowing authenticated users with low privileges to modify site content and availability. An attacker with a basic user account can alter pages or disable functionality without proper permission validation. Update to a version newer than 2.6.3 to resolve this issue.

What an attacker can do

03Attacker Capabilities

Modify page content and disable site features using a low-privilege user account.

Potential impact on your site

04Site Impact

Unauthorized users can alter published pages and disrupt site availability without admin approval.

Conditions required to exploit

05Prerequisites

Attacker must have a valid low-privilege user account on the site.

Key dates

06Disclosure timeline

September 19, 2025 CVE published
April 8, 2026 Record updated

Related vulnerabilities

08Related CVE