CVE-2026-34887
Stored XSS in Kubio AI Page Builder Through Version
Publication date: 2026-03-31
Last updated on: 2026-03-31
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| extend_themes | kubio_ai_page_builder | to 2.7.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-34887 is a Cross Site Scripting (XSS) vulnerability in the WordPress Kubio AI Page Builder Plugin up to version 2.7.0.
This vulnerability allows attackers to inject malicious scripts, such as redirects, advertisements, or other HTML payloads, into websites using the plugin.
These malicious scripts execute when visitors access the affected site.
Exploitation requires a user with at least Contributor or Developer privileges to interact with a crafted link, page, or form.
How can this vulnerability impact me? :
The vulnerability can lead to attackers injecting and executing malicious scripts on your website.
This can result in unwanted redirects, display of unauthorized advertisements, or other harmful HTML content affecting your visitors.
Such attacks can damage your website's reputation, compromise user trust, and potentially lead to further security issues.
However, exploitation requires user interaction and appropriate privileges, which limits the risk.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves Stored Cross-Site Scripting (XSS) in the WordPress Kubio AI Page Builder Plugin up to version 2.7.0. Detection typically involves identifying if the vulnerable plugin version is installed and checking for malicious script injections in web pages generated by the plugin.
Since exploitation requires a user with Contributor or Developer privileges to interact with crafted content, monitoring user actions and input fields related to the plugin can help detect attempts.
Specific commands are not provided in the resources, but general detection steps include:
- Check the installed version of the Kubio AI Page Builder Plugin to see if it is version 2.7.0 or earlier.
- Use web vulnerability scanners that detect XSS vulnerabilities on your website.
- Manually inspect input fields and stored content generated by the plugin for suspicious scripts or HTML payloads.
What immediate steps should I take to mitigate this vulnerability?
The primary and immediate mitigation step is to update the WordPress Kubio AI Page Builder Plugin to version 2.7.1 or later, where the vulnerability has been patched.
Additionally, consider the following steps:
- Restrict user privileges to limit Contributor or Developer roles only to trusted users.
- Use automated update tools, such as those offered by Patchstack, to ensure rapid deployment of security patches.
- Monitor your website for unusual script injections or behavior that may indicate exploitation attempts.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows attackers to inject malicious scripts into websites using the Kubio AI Page Builder plugin, which can lead to unauthorized actions such as redirects or data manipulation when visitors access the affected site.
Such Cross-site Scripting (XSS) vulnerabilities can potentially lead to breaches of data confidentiality and integrity, which may impact compliance with standards and regulations like GDPR and HIPAA that require protection of personal and sensitive data.
However, the provided information does not explicitly state the direct impact on compliance with these regulations.