Across various data we monitor we have been seeing what looks to be a hacker or hackers trying to find websites using the plugin Kubio Pro, by requesting this url: /wp-content/plugins/kubio-pro/readme.txt. At first we were puzzled as to what might explain that. There isn’t a plugin on the WordPress Plugin Directory with the slug kubio-pro, so that would mean either it likely was a plugin made available somewhere else or a backdoor disguised as a plugin. We looked for any information on the web about a vulnerability in a plugin with that slug or the name Kubio Pro and came up with nothing. The same is true for competing data sources for information on vulnerabilities in WordPress plugins.

WPScan, owned by Automattic, serves a not found page for the URL that would contain data on vulnerabilities for a plugin with that slug:

The same is true for Wordfence:

And Patchstack redirects to a different page when requesting the relevant URL for that data on vulnerabilities in a plugin with that slug:

Thinking the plugin might be a “pro” version of the plugin with the slug kubio, we found there is a Kubio plugin. The changelog for that seems to reference a pro version as the latest listing is headed “2.5.3 and 2.5.3-pro.” The recent changelog entries provided no suggestion that there might have been a vulnerability that had been fixed recently. That turns out to not be true.

Developer Didn’t Disclose Security Fix

The changelog for the second latest version, 2.5.2, which was released on March 18, is “Various bug fixes.” It turns out that fixed a fairly serious vulnerability. Wordfence made this claim about a change made in version 2.5.2:

The Kubio AI Page Builder plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.5.1 via thekubio_hybrid_theme_load_template function. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.

They linked to the code of the plugin that shows how that could be exploited.

In the file /lib/integrations/third-party-themes/editor-hooks.php, the plugin registers the function kubio_hybrid_theme_load_template() to run when the template_include action fires:

29

add_action( 'template_include', 'kubio_hybrid_theme_load_template' );

That allows user input from the GET or POST input “__kubio-site-edit-iframe-classic-template” to be used to specify a file to be included (or run):

32
33
34
35
36
37
38
39
40
41
42
43

function kubio_hybrid_theme_load_template( $template ) {
	// phpcs:ignore WordPress.Security.NonceVerification.Recommended
	$template_id = Arr::get( $_REQUEST, '__kubio-site-edit-iframe-classic-template', false );
	if ( ! $template_id ) {
		return $template;
	}
 
	$new_template = locate_template( array( $template_id ) );
	if ( '' !== $new_template ) {
		return $new_template;
	}
	return $template;

As far as we can determine, that vulnerability also existed in Kubio Pro.

Wordfence Gets Basic Detail Wrong

As part of a long time dishonest practice by Wordfence, they made it appear like they determined what versions of Kubio are vulnerable, but they didn’t actually determine what version were vulnerable. While they claimed “all versions up to, and including, 2.5.1,” were vulnerable, the vulnerable code was added in version 1.2.0, so previous versions couldn’t possibly be vulnerable.

Our Customers Were Already Protected Years Ago

The good news for our own customers is that our Plugin Vulnerabilities Firewall had already protected against this vulnerability even before it was first introduced in to the plugin, as the plugin’s zero-day protection has always protected against local file inclusion payloads like the one that would be used here.

Proof of Concept

The following proof of concept will cause a file named test.php in the root directory of the WordPress installation to be included.

Replace “[path to WordPress]” with the location of WordPress.

http://[path to WordPress]/?__kubio-site-edit-iframe-preview&__kubio-site-edit-iframe-classic-template=../../test.php

Plugin Security Scorecard Grade for Patchstack

See issues causing the plugin to get less than A+ grade

Plugin Security Scorecard Grade for WPScan

See issues causing the plugin to get less than A+ grade