cleantalk
Vulnerabilities and Security Researches

CubeWP – All-in-One Dynamic Content Framework, CVE-2025-4315

CVE, Research URL

CVE-2025-4315

Home page URL

Security reports for CubeWP – All-in-One Dynamic Content Framework

Application

CubeWP – All-in-One Dynamic Content Framework

Published on
Jun 11, 2025
Research Description
The CubeWP – All-in-One Dynamic Content Framework plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.1.23. This is due to the plugin allowing a user to update arbitrary user meta through the update_user_meta() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to elevate their privileges to that of an administrator.
Affected versions
Min -, max 1.1.24.
Status
vulnerable
Previous vulnerability researches
Envo's Elementor Templates & Widgets for WooCommerce (CVE-2024-43292) , Aug 20, 2024
Envo's Elementor Templates & Widgets for WooCommerce (CVE-2024-0766) , Jun 10, 2024
Envo's Elementor Templates & Widgets for WooCommerce (CVE-2024-35167) , Jun 10, 2024
Envo's Elementor Templates & Widgets for WooCommerce (CVE-2024-50447) , Oct 27, 2024
Envo's Elementor Templates & Widgets for WooCommerce (CVE-2024-0768) , Jun 10, 2024
New vulnerability
All-in-One Addons for Elementor – WidgetKit (CVE-2025-49074) , Jun 15, 2025
ElementInvader Addons for Elementor (CVE-2025-48288) , Jun 15, 2025
Falang multilanguage for WordPress (CVE-2025-48285) , Jun 15, 2025
Social Sharing Plugin – Sassy Social Share (CVE-2025-5528) , Jun 15, 2025
PSW – Login and registration (CVE-2025-4607) , Jun 15, 2025