Public Exploits Surface for Unauthenticated File Inclusion Flaws in Joomla and WordPress Plugins
Researchers disclosed multiple file inclusion vulnerabilities affecting popular CMS extensions, including the Tassos/Novarain Framework for Joomla and the Kubio AI Page Builder plugin for WordPress. SSD Secure Disclosure reported flaws in the Joomla framework, while a GitHub proof-of-concept tied to CVE-2026-21627 described an unauthenticated arbitrary PHP file inclusion issue in the ajaxTaskInclude() function of plg_system_nrframework, potentially allowing attackers to load unintended server-side files without logging in.
Separately, several GitHub repositories published exploit material for CVE-2025-2294, an unauthenticated local file inclusion vulnerability affecting Kubio AI Page Builder versions <= 2.5.1. The repeated publication of public exploit code for both CMS ecosystems lowers the barrier to opportunistic attacks, particularly against internet-exposed Joomla and WordPress sites that have not patched or removed vulnerable components.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
Public exploit repository published for CVE-2026-21627 in Tassos Framework
A GitHub repository published exploit material for CVE-2026-21627, described as an unauthenticated arbitrary PHP file inclusion vulnerability via ajaxTaskInclude() in the Joomla Tassos/Novarain Framework plugin plg_system_nrframework. The publication made exploitation details publicly accessible.
SSD Secure Disclosure publishes Joomla Novarain/Tassos Framework vulnerabilities
SSD Secure Disclosure published details of vulnerabilities affecting the Joomla Novarain/Tassos Framework. This marked the public disclosure of the framework flaws later associated with exploit code for CVE-2026-21627.
Additional public exploit repositories appear for CVE-2025-2294
Separate GitHub repositories were later published reproducing or documenting exploitation of CVE-2025-2294, indicating broader public availability of exploit material. These later repositories did not describe a distinct new vulnerability, but showed continued dissemination of exploit details.
Kubio AI Page Builder LFI vulnerability disclosed as CVE-2025-2294
A local file inclusion vulnerability affecting Kubio AI Page Builder versions 2.5.1 and earlier was publicly disclosed and tracked as CVE-2025-2294. The issue was described as unauthenticated, allowing attackers to include local files without logging in.
Sources
5 references tracked. Mallory keeps watching after this page renders.
GitHub - yallasec/CVE-2026-21627---Tassos-Novarain-Framework-plg_system_nrframework-Exploit---Joomla: Vulnerability: Unauthenticated Arbitrary PHP File Inclusion via ajaxTaskInclude() · GitHub
github.com
Open sourceJoomla! Novarain/Tassos Framework Vulnerabilities - SSD Secure Disclosure
ssd-disclosure.com
Open sourceGitHub - Yucaerin/CVE-2025-2294: Kubio AI Page Builder <= 2.5.1 - Unauthenticated Local File Inclusion · GitHub
github.com
Open sourceGitHub - rhz0d/CVE-2025-2294: Kubio AI Page Builder <= 2.5.1 - Unauthenticated Local File Inclusion · GitHub
github.com
Open sourceGitHub - Nxploited/CVE-2025-2294: Kubio AI Page Builder <= 2.5.1 - Unauthenticated Local File Inclusion · GitHub
github.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Multiple CMS Plugin Vulnerabilities: WordPress CVEs and Joomla Novarain/Tassos Framework Flaws
Three newly described **WordPress plugin vulnerabilities** affect ShopLentor, Advanced AJAX Product Filters, and WP Maps. **CVE-2026-1714** allows **unauthenticated email relay abuse** in *ShopLentor* (<= `3.3.2`) via the `woolentor_suggest_price_action` AJAX endpoint due to missing validation of parameters such as `send_to` and `product_title`; the `wlemail` parameter can be abused for **CRLF injection** to control sender details, enabling spam/phishing relay through the victim site. **CVE-2026-1426** is a **PHP object injection** issue in *Advanced AJAX Product Filters* (<= `3.1.9.6`) reachable by **authenticated users (Author+)** through deserialization of untrusted input in `shortcode_check` within a Live Composer compatibility layer; impact depends on the presence of a usable **POP chain** in another installed plugin/theme and requires the *Live Composer* plugin to be installed and active. **CVE-2025-12062** affects *WP Maps* (<= `4.8.6`) and enables **authenticated (Subscriber+) limited local file inclusion** via `fc_load_template`, potentially leading to sensitive data exposure or code execution in scenarios where attacker-controlled `.html` content can be uploaded and then included. Separately, Joomla sites using the **Novarain/Tassos Framework** (`plg_system_nrframework`) face critical issues enabling **unauthenticated file read, file deletion, and SQL injection**, which can be chained toward **administrator takeover** and potentially **persistent RCE**. The reported weaknesses stem from an AJAX handler that processes `task=include` without sufficient hardening, allowing attackers to reach internal classes implementing `onAjax` and abuse gadget-like behaviors (e.g., CSV loading for arbitrary file read, a `remove` action for path deletion, and attacker-influenced query construction for SQL injection). The risk propagates through multiple popular Tassos extensions that bundle the framework (including **Convert Forms**, **EngageBox**, **Google Structured Data**, **Advanced Custom Fields**, and **Smile Pack**), and remediation requires applying vendor updates for affected releases.
Mar 21, 2026
Multiple Critical Vulnerabilities Disclosed Across Popular Software Platforms
A series of critical vulnerabilities have been disclosed affecting a wide range of popular software platforms, including WordPress plugins, web frameworks, developer tools, and enterprise applications. Notable issues include unauthenticated remote code execution (RCE) flaws in Next.js (CVE-2025-66478), WordPress core (CVE-2025-6389), and the ACF Extended plugin (CVE-2025-13486), as well as privilege escalation and authentication bypass vulnerabilities in the WP Directory Kit plugin (CVE-2025-13390) and cPanel. Several of these vulnerabilities are reported to be under active exploitation, with proof-of-concept code available for some, increasing the urgency for immediate patching and mitigation. Other significant disclosures include a high-severity flaw in Vim for Windows (CVE-2025-66476) allowing arbitrary code execution, a critical SQL injection chain in Synology BeeStation, and a directory traversal vulnerability in cPanel that could lead to full server takeover. Additional advisories cover issues in lz4-java, Longwatch OT surveillance, Django, Elementor, Apache Struts, nopCommerce, and OpenVPN, with many rated as critical or high severity by CVSS. Organizations are strongly advised to review affected products and apply security updates promptly to mitigate the risk of exploitation.
Mar 21, 2026
Joomla Core Flaws Expose Webservice Endpoints and Enable Arbitrary File Deletion
Joomla disclosed two high-severity core vulnerabilities affecting its platform: **CVE-2026-23898**, an input-validation flaw in the `com_joomlaupdate` autoupdate server mechanism that can lead to arbitrary file deletion, and **CVE-2026-23899**, an improper access-control issue in webservice endpoints that can permit unauthorized access. Both issues are remotely exploitable over the network with low attack complexity, according to the published CVSS v4.0 vectors. The file-deletion bug is mapped to **CWE-73** and the webservice issue to **CWE-284**. Joomla said both vulnerabilities carry high potential impact across confidentiality, integrity, and availability, while requiring high privileges, and published separate security advisories through its developer portal. The disclosures indicate risk to core Joomla deployments that rely on the affected update and webservice functionality, making patch review and access-control validation a priority for administrators.
Apr 1, 2026