Vulnerabilities and security researches forcubewp-framework cubewp-framework
Direction: ascendingJun 07, 2024
CubeWP – All-in-One Dynamic Content Framework # CVE-2024-30500
- CVE, Research URL
- Date
- Mar 29, 2024
- Research Description
- Unrestricted Upload of File with Dangerous Type vulnerability in CubeWP CubeWP – All-in-One Dynamic Content Framework.This issue affects CubeWP – All-in-One Dynamic Content Framework: from n/a through 1.1.12.
- Affected versions
-
max 1.1.13.
- Status
-
vulnerable
Oct 12, 2024
CubeWP – All-in-One Dynamic Content Framework # CVE-2024-48039
- CVE, Research URL
- Date
- Nov 01, 2024
- Research Description
- Missing Authorization vulnerability in CubeWP CubeWP – All-in-One Dynamic Content Framework allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects CubeWP – All-in-One Dynamic Content Framework: from n/a through 1.1.15.
- Affected versions
-
max 1.1.16.
- Status
-
vulnerable
Jun 15, 2025
CubeWP – All-in-One Dynamic Content Framework # CVE-2025-4315
- CVE, Research URL
- Date
- Jun 11, 2025
- Research Description
- The CubeWP – All-in-One Dynamic Content Framework plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.1.23. This is due to the plugin allowing a user to update arbitrary user meta through the update_user_meta() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to elevate their privileges to that of an administrator.
- Affected versions
-
max 1.1.24.
- Status
-
vulnerable
CubeWP – All-in-One Dynamic Content Framework # CVE-2025-30994
- CVE, Research URL
- Date
- Jun 06, 2025
- Research Description
- Cross-Site Request Forgery (CSRF) vulnerability in Emraan Cheema CubeWP – All-in-One Dynamic Content Framework allows Cross Site Request Forgery. This issue affects CubeWP – All-in-One Dynamic Content Framework: from n/a through 1.1.23.
- Affected versions
-
max 1.1.24.
- Status
-
vulnerable
Aug 22, 2025
CubeWP – All-in-One Dynamic Content Framework # CVE-2025-54735
- CVE, Research URL
- Date
- Aug 20, 2025
- Research Description
- Incorrect Privilege Assignment vulnerability in Emraan Cheema CubeWP Framework allows Privilege Escalation. This issue affects CubeWP Framework: from n/a through 1.1.24.
- Affected versions
-
max 1.1.25.
- Status
-
vulnerable
Jan 10, 2026
CubeWP – All-in-One Dynamic Content Framework # CVE-2025-68036
- CVE, Research URL
- Date
- Dec 30, 2025
- Research Description
- Missing Authorization vulnerability in Emraan Cheema CubeWP allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects CubeWP: from n/a through 1.1.27.
- Affected versions
-
max 1.1.27.
- Status
-
vulnerable
Jan 27, 2026
CubeWP – All-in-One Dynamic Content Framework # CVE-2025-12129
- CVE, Research URL
- Date
- Jan 17, 2026
- Research Description
- The CubeWP – All-in-One Dynamic Content Framework plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.1.27 via the /cubewp-posts/v1/query-new and /cubewp-posts/v1/query REST API endpoints due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft posts that they should not have access to.
- Affected versions
-
max 1.1.28.
- Status
-
vulnerable
Apr 15, 2026
CubeWP – All-in-One Dynamic Content Framework # CVE-2025-6461
- CVE, Research URL
- Date
- Jan 25, 2026
- Research Description
- The CubeWP – All-in-One Dynamic Content Framework plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.1.27 via the search feature in class-cubewp-search-ajax-hooks.php due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft posts that they should not have access to.
- Affected versions
-
max 1.1.28.
- Status
-
vulnerable