CVE-2026-5427
Received Received - Intake
Arbitrary File Upload in Kubio WordPress Plugin Allows Privilege Escalation

Publication date: 2026-04-17

Last updated on: 2026-04-17

Assigner: Wordfence

Description
The Kubio plugin for WordPress is vulnerable to Arbitrary File Upload in versions up to and including 2.7.2. This is due to insufficient capability checks in the kubio_rest_pre_insert_import_assets() function, which is hooked to the rest_pre_insert_{post_type} filter for posts, pages, templates, and template parts. When a post is created or updated via the REST API, Kubio parses block attributes looking for URLs in the 'kubio' attribute namespace and automatically imports them via importRemoteFile() without verifying the user has the upload_files capability. This makes it possible for authenticated attackers with Contributor-level access and above to bypass WordPress's normal media upload restrictions and upload files fetched from external URLs to the media library, creating attachment posts in the database.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-17
Last Modified
2026-04-17
Generated
2026-06-16
AI Q&A
2026-04-17
EPSS Evaluated
2026-06-15
NVD
CVE-2026-5427
EUVD
EUVD-2026-23358
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
kubio kubio to 2.7.2 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The Kubio plugin for WordPress has a vulnerability called Arbitrary File Upload in versions up to and including 2.7.2. This happens because the function kubio_rest_pre_insert_import_assets() does not properly check user capabilities. When a post is created or updated via the REST API, Kubio looks for URLs in certain block attributes and automatically imports files from those URLs without verifying if the user has permission to upload files. This allows authenticated users with Contributor-level access or higher to bypass normal media upload restrictions and upload files from external URLs to the media library.

Mitigation Strategies

To mitigate this vulnerability, you should update the Kubio plugin for WordPress to a version later than 2.7.2 where the issue is fixed.

Additionally, restrict Contributor-level users from uploading files or limit their access until the plugin is updated.

Impact Analysis

This vulnerability can allow attackers with Contributor-level access or higher to upload arbitrary files to the WordPress media library. This bypasses the usual restrictions on media uploads, potentially enabling the attacker to upload malicious files that could be used to compromise the website or its data.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-5427. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart