{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-34887", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-03-31T09:57:17.719Z", "datePublished": "2026-03-31T10:19:46.282Z", "dateUpdated": "2026-03-31T12:32:04.044Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-31T10:19:46.282Z"}, "title": "WordPress Kubio AI Page Builder plugin <= 2.7.0 - Cross Site Scripting (XSS) vulnerability", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-592", "descriptions": [{"lang": "en", "value": "CAPEC-592 Stored XSS"}]}], "affected": [{"vendor": "Extend Themes", "product": "Kubio AI Page Builder", "collectionURL": "https://wordpress.org/plugins", "packageName": "kubio", "versions": [{"status": "affected", "version": "n/a", "lessThanOrEqual": "2.7.0", "changes": [{"at": "2.7.1", "status": "unaffected"}], "versionType": "custom"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Extend Themes Kubio AI Page Builder allows Stored XSS.This issue affects Kubio AI Page Builder: from n/a through 2.7.0.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Extend Themes Kubio AI Page Builder allows Stored XSS.<p>This issue affects Kubio AI Page Builder: from n/a through 2.7.0.</p>"}]}], "tags": ["x_open-source"], "references": [{"url": "https://patchstack.com/database/wordpress/plugin/kubio/vulnerability/wordpress-kubio-ai-page-builder-plugin-2-7-0-cross-site-scripting-xss-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW", "baseSeverity": "MEDIUM", "baseScore": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L"}}], "solutions": [{"lang": "en", "value": "Update the WordPress Kubio AI Page Builder Plugin to the latest available version (at least 2.7.1).", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Update the WordPress Kubio AI Page Builder Plugin to the latest available version (at least 2.7.1)."}]}], "credits": [{"lang": "en", "value": "timomangcut | Patchstack Bug Bounty Program", "user": "00000000-0000-4000-9000-000000000000", "type": "finder"}], "source": {"discovery": "EXTERNAL"}, "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-31T12:31:52.020107Z", "id": "CVE-2026-34887", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-31T12:32:04.044Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-34887", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-31T12:31:52.020107Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-31T12:31:58.685Z"}}], "cna": {"tags": ["x_open-source"], "title": "WordPress Kubio AI Page Builder plugin <= 2.7.0 - Cross Site Scripting (XSS) vulnerability", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "timomangcut | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-592", "descriptions": [{"lang": "en", "value": "CAPEC-592 Stored XSS"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Extend Themes", "product": "Kubio AI Page Builder", "versions": [{"status": "affected", "changes": [{"at": "2.7.1", "status": "unaffected"}], "version": "n/a", "versionType": "custom", "lessThanOrEqual": "2.7.0"}], "packageName": "kubio", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "Update the WordPress Kubio AI Page Builder Plugin to the latest available version (at least 2.7.1).", "supportingMedia": [{"type": "text/html", "value": "Update the WordPress Kubio AI Page Builder Plugin to the latest available version (at least 2.7.1).", "base64": false}]}], "references": [{"url": "https://patchstack.com/database/wordpress/plugin/kubio/vulnerability/wordpress-kubio-ai-page-builder-plugin-2-7-0-cross-site-scripting-xss-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Extend Themes Kubio AI Page Builder allows Stored XSS.This issue affects Kubio AI Page Builder: from n/a through 2.7.0.", "supportingMedia": [{"type": "text/html", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Extend Themes Kubio AI Page Builder allows Stored XSS.<p>This issue affects Kubio AI Page Builder: from n/a through 2.7.0.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-31T10:19:46.282Z"}}}, "cveMetadata": {"cveId": "CVE-2026-34887", "state": "PUBLISHED", "dateUpdated": "2026-03-31T12:32:04.044Z", "dateReserved": "2026-03-31T09:57:17.719Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-03-31T10:19:46.282Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Extend Themes Kubio AI Page Builder allows Stored XSS.This issue affects Kubio AI Page Builder: from n/a through 2.7.0."}, {"lang": "es", "value": "Neutralizaci\u00f3n Incorrecta de la Entrada Durante la Generaci\u00f3n de P\u00e1ginas Web ('cross-site scripting') vulnerabilidad en Extend Themes Kubio AI Page Builder permite XSS Almacenado. Este problema afecta a Kubio AI Page Builder: desde n/d hasta 2.7.0."}], "id": "CVE-2026-34887", "lastModified": "2026-04-24T18:08:35.440", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 3.7, "source": "audit@patchstack.com", "type": "Secondary"}]}, "published": "2026-03-31T11:16:13.523", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/wordpress/plugin/kubio/vulnerability/wordpress-kubio-ai-page-builder-plugin-2-7-0-cross-site-scripting-xss-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "audit@patchstack.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.7.0]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "2.7.1"}}], "enrichment": {"confidence": 99.0, "confidence_source": "matching", "scores": [{"score": 99.0, "source": "matching"}]}, "original": {"product": "Kubio AI Page Builder", "source": "cna", "vendor": "Extend Themes"}, "product": "kubio_ai_page_builder", "vendor": "extendthemes"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-03-31T11:20:30.052761+00:00", "value": {"mitigation_remediation": ["Apply the latest WordPress Kubio AI Page Builder plugin version (2.7.1 or newer).", "If an immediate update is not possible, disable or remove the plugin to prevent exploitation."], "summary": {"action": "Immediate Patch", "impact": "Stored cross\u2011site scripting on site pages that can execute arbitrary JavaScript in the context of authenticated users, potentially leading to credential theft, session hijacking, or defacement."}, "threat_synthesis": {"affected_systems": "The issue affects the WordPress Kubio AI Page Builder plugin crafted by Extend Themes, specifically all released versions up to and including 2.7.0. Users running these plugin versions on their WordPress installations are vulnerable; upgrading to 2.7.1 or later eliminates the flaw.", "description_and_impact": "The vulnerability stems from improper neutralization of user input during web page rendering, allowing malicious code to be saved and later executed when anyone visits the affected page. Stored cross\u2011site scripting can compromise the confidentiality and integrity of data viewed by users, enabling attackers to steal session cookies, inject malicious content, or deface the site. This weakness is categorized under CWE\u201179, which includes typical injection of executable scripts into web pages.", "risk_and_exploitability": "The CVSS score of 6.5 reflects a moderate severity, combining user interaction with the potential for high impact on website trustworthiness. Thanks to the absence of an EPSS score and no listing in the CISA KEV catalog, the publicly known exploitation likelihood is unclear, but the stored\u2011XSS nature means that an attacker capable of adding or modifying content\u2014either through a compromised user account or by exploiting another vulnerability\u2014could realize the attack. The attack vector is inferred to be through the plugin\u2019s content input mechanisms, which do not properly sanitize data before storage."}}}}, "created": "2026-03-31T19:55:50.195883+00:00", "updated": "2026-03-31T20:39:12.714434+00:00", "vendors": ["extendthemes", "extendthemes$PRODUCT$kubio_ai_page_builder", "wordpress", "wordpress$PRODUCT$wordpress"]}