PT-2026-4645 · WordPress · Cubewp – All-In-One Dynamic Content Framework
Matthew Rollings
·
Published
2026-01-25
·
Updated
2026-01-25
·
CVE-2025-6461
CVSS v3.1
4.3
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
CubeWP – All-in-One Dynamic Content Framework versions prior to 1.1.27
Description
The CubeWP plugin for WordPress has an information exposure issue. Insufficient restrictions on the search feature in the
class-cubewp-search-ajax-hooks.php file allows unauthenticated attackers to access data from password-protected, private, or draft posts that they should not be able to view. The vulnerable search feature allows extraction of sensitive information.Recommendations
Update CubeWP – All-in-One Dynamic Content Framework to a version later than 1.1.27.
Fix
Information Disclosure
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Cubewp – All-In-One Dynamic Content Framework