Kubio Plugin for WordPress Allows Malicious File Uploads

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

5.3

Kubio Plugin for WordPress Allows Malicious File Uploads

CVE-2026-5427

Summary

The Kubio plugin for WordPress is vulnerable to a security issue that allows authorized users to upload files from external URLs to the site's media library, potentially leading to malicious content being uploaded. This affects versions of the plugin up to and including 2.7.2. To fix this, update the Kubio plugin to a version higher than 2.7.2 or remove and reinstall it.

Original title

Original description

The Kubio plugin for WordPress is vulnerable to Arbitrary File Upload in versions up to and including 2.7.2. This is due to insufficient capability checks in the kubio_rest_pre_insert_import_assets() function, which is hooked to the rest_pre_insert_{post_type} filter for posts, pages, templates, and template parts. When a post is created or updated via the REST API, Kubio parses block attributes looking for URLs in the 'kubio' attribute namespace and automatically imports them via importRemoteFile() without verifying the user has the upload_files capability. This makes it possible for authenticated attackers with Contributor-level access and above to bypass WordPress's normal media upload restrictions and upload files fetched from external URLs to the media library, creating attachment posts in the database.

nvd CVSS3.1 5.3

Vulnerability type

CWE-862 Missing Authorization

Published: 17 Apr 2026 · Updated: 17 Apr 2026 · First seen: 17 Apr 2026