CVE-2025-6461
Unknown Unknown - Not Provided
Information Exposure in CubeWP Plugin Allows Unauthorized Data Access

Publication date: 2026-01-25

Last updated on: 2026-01-25

Assigner: Wordfence

Description
The CubeWP – All-in-One Dynamic Content Framework plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.1.27 via the search feature in class-cubewp-search-ajax-hooks.php due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft posts that they should not have access to.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-25
Last Modified
2026-01-25
Generated
2026-06-16
AI Q&A
2026-01-25
EPSS Evaluated
2026-06-15
NVD
CVE-2025-6461
EUVD
EUVD-2026-4642
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
cubewp cubewp_all-in-one_dynamic_content_framework to 1.1.27 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in the CubeWP WordPress plugin allows unauthenticated attackers to use the search feature to access data from password protected, private, or draft posts that they should not be able to see. It occurs because the plugin does not properly restrict which posts can be included in search results, exposing sensitive information.

Impact Analysis

The vulnerability can lead to unauthorized disclosure of sensitive or private content on your WordPress site, including password protected, private, or draft posts. This exposure could compromise confidential information, damage trust, and potentially lead to further security issues if sensitive data is leaked.

Compliance Impact

This vulnerability could negatively impact compliance with data protection regulations such as GDPR and HIPAA by allowing unauthorized access to protected personal or sensitive information. Exposing such data without proper authorization may violate privacy requirements and lead to regulatory penalties.

Detection Guidance

You can detect this vulnerability by checking if your WordPress site is running the CubeWP plugin version 1.1.27 or earlier. Since the vulnerability involves the AJAX search feature exposing unauthorized post data, monitoring HTTP POST requests to the AJAX search endpoint (likely involving class-cubewp-search-ajax-hooks.php) for unusual data exposure could help. For example, you can use curl commands to test the search feature and see if it returns data from password protected, private, or draft posts. A sample command might be: curl -X POST -d 'post_type=any&search=your_test_query' https://yourwordpresssite.com/wp-admin/admin-ajax.php?action=cubewp_search. Additionally, inspecting logs for unexpected access patterns or data leakage related to the search AJAX calls can help detect exploitation attempts. [2]

Mitigation Strategies

The immediate mitigation step is to update the CubeWP plugin to version 1.1.28 or later, where the vulnerability is fixed by sanitizing input, validating post types, and restricting search queries to published posts only. If updating is not immediately possible, consider disabling the AJAX search feature or restricting access to it to authenticated users only. Additionally, review and apply any available security patches or workarounds provided by the plugin maintainers. [2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-6461. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart