Security Alert Summary
The CubeWP – All-in-One Dynamic Content Framework plugin for WordPress contains an information exposure vulnerability (CVE-2025-12129) affecting the plugin’s REST API endpoints. Insufficient restrictions on which posts can be returned by the endpoints allow unauthenticated requests to retrieve data from password protected, private, or draft posts.
CVE Details
- CVE ID: CVE-2025-12129
- Affected component: The CubeWP – All-in-One Dynamic Content Framework plugin for WordPress
- Affected versions: All versions up to, and including, 1.1.27 (as stated in the CVE)
- Published: January 17, 2026, 8:15 AM UTC
- Last modified: January 17, 2026, 8:15 AM UTC
- CVSS v3.1 base score: 5.3 — MEDIUM
- Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
- Authentication / privileges / user interaction:
- Privileges required: NONE
- User interaction: NONE
- Attack vector: NETWORK
- Primary impact: Confidentiality: LOW; Integrity: NONE; Availability: NONE
- CWE / weakness: CWE-200 (Information Exposure)
Technical Details
The plugin’s REST API endpoints /cubewp-posts/v1/query-new and /cubewp-posts/v1/query do not sufficiently restrict which posts may be included in responses. Because the endpoints allow unauthenticated access without proper checks on post visibility, attackers can craft requests that return content from posts that are password protected, private, or saved as drafts.
This is an information exposure issue rather than an integrity or availability issue: the flaw permits read access to content that should be restricted, but there is no indication in the CVE entry that the vulnerability enables modification or denial of service.
How This Could Impact Your Website
Consider a small website where the site owner coordinates with internal staff and an external contractor. A staff editor or contributor may create draft posts containing internal notes, email addresses, or planned campaign content. An unauthenticated attacker leveraging these REST API endpoints could extract that draft or private content, exposing internal information that was never intended for public view.
Practical consequences include unintended disclosure of internal user emails or private content, which can increase the risk of targeted phishing or social engineering against staff and contractors. The vulnerability does not, based on the CVE details, imply remote code execution or full site takeover; it is an exposure of content confidentiality.
If you’re unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review your setup.
Recommended Actions
- Update the affected plugin as soon as a patched version is available. (The CVE entry states affected versions up to and including 1.1.27; a fixed version is not specified in the CVE.)
- Review and reduce unnecessary user roles, especially contributor and editor accounts that can create or manage draft content.
- Enforce strong passwords and two-factor authentication for editors and administrators.
- Remove unused or unmaintained plugins to reduce attack surface.
- Monitor site activity and access logs for unusual API requests or repeated queries to REST endpoints.
If you’d like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.