CVE-2026-5427
Arbitrary File Upload in Kubio WordPress Plugin Allows Privilege Escalation
Publication date: 2026-04-17
Last updated on: 2026-04-17
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| kubio | kubio | to 2.7.2 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The Kubio plugin for WordPress has a vulnerability called Arbitrary File Upload in versions up to and including 2.7.2. This happens because the function kubio_rest_pre_insert_import_assets() does not properly check user capabilities. When a post is created or updated via the REST API, Kubio looks for URLs in certain block attributes and automatically imports files from those URLs without verifying if the user has permission to upload files. This allows authenticated users with Contributor-level access or higher to bypass normal media upload restrictions and upload files from external URLs to the media library.
How can this vulnerability impact me? :
This vulnerability can allow attackers with Contributor-level access or higher to upload arbitrary files to the WordPress media library. This bypasses the usual restrictions on media uploads, potentially enabling the attacker to upload malicious files that could be used to compromise the website or its data.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should update the Kubio plugin for WordPress to a version later than 2.7.2 where the issue is fixed.
Additionally, restrict Contributor-level users from uploading files or limit their access until the plugin is updated.