cleantalk
Vulnerabilities and Security Researches

CubeWP – All-in-One Dynamic Content Framework, CVE-2025-8615

CVE, Research URL

CVE-2025-8615

Home page URL

Security reports for CubeWP – All-in-One Dynamic Content Framework

Application

CubeWP – All-in-One Dynamic Content Framework

Published on
Jan 17, 2026
Research Description
The CubeWP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's cubewp_shortcode_taxonomy shortcode in all versions up to, and including, 1.1.26 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions
max 1.1.27.
Status
vulnerable
Previous vulnerability researches
Hostel (CVE-2025-39566) , Apr 18, 2025
Hostel (CVE-2025-31102) , Apr 02, 2025
Hostel (CVE-2025-30848) , Apr 02, 2025
Hostel (CVE-2023-32120) , Jun 10, 2024
Hostel (CVE-2024-3753) , Jul 15, 2024
New vulnerability
Categories Images (CVE-2026-2505) , Apr 20, 2026
Contextual Related Posts (CVE-2026-2986) , Apr 20, 2026
CubeWP – All-in-One Dynamic Content Framework (CVE-2025-8615) , Apr 20, 2026
Hostel (CVE-2026-1838) , Apr 20, 2026
Content Blocks (Custom Post Widget) (CVE-2026-0894) , Apr 20, 2026