PT-2026-3353 · WordPress · Cubewp
Published
2026-01-17
·
Updated
2026-01-17
·
CVE-2025-12129
CVSS v3.1
5.3
Medium
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
CubeWP – All-in-One Dynamic Content Framework versions prior to 1.1.28
Description
The CubeWP plugin for WordPress has an information exposure issue. Insufficient restrictions on post inclusion within the
/cubewp-posts/v1/query-new and /cubewp-posts/v1/query API endpoints allow unauthenticated attackers to extract data from password-protected, private, or draft posts that they should not have access to.Recommendations
Update to version 1.1.28 or later.
Fix
Information Disclosure
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Cubewp