CVE-2026-34887

What is the vulnerability?

CVE-2026-34887 is a stored Cross-Site Scripting (XSS) vulnerability in the Extend Themes Kubio AI Page Builder plugin for WordPress, affecting versions from n/a through 2.7.0. The issue stems from improper neutralization of input during web page generation, allowing an attacker to inject arbitrary scripts that persist on the server and execute in the context of visitors' browsers [1].

How is it exploited?

Exploitation requires a privileged user (e.g., an editor or administrator) to interact with a crafted payload – such as clicking a malicious link, visiting a prepared page, or submitting a form. The attack is launched by a lower-privileged role that can store the malicious input, which then executes when other privileged users or site visitors load the affected page [1].

Impact

Successful exploitation enables a malicious actor to inject scripts that can redirect visitors, display unwanted advertisements, or deliver arbitrary HTML payloads. This can compromise the integrity and user trust of the website, as injected content runs automatically when guests browse the site [1].

Mitigation

The vendor has released version 2.7.1 which resolves the vulnerability. Patchstack users can enable auto-updates for vulnerable plugins. Immediate update to version 2.7.1 or later is strongly recommended; if updating is not possible, contact your hosting provider for assistance [1].