CVE-2025-12129
CubeWP – All-in-One Dynamic Content Framework <= 1.1.27 - Unauthenticated Information ExposureThe CubeWP – All-in-One Dynamic Content Framework plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.1.27 via the /cubewp-posts/v1/query-new and /cubewp-posts/v1/query REST API endpoints due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft posts that they should not have access to.
We have discovered 405 live websites that are affected by CVE-2025-12129.
Affected Software
| Product |  Cubewp Framework |
| Category | Wordpress Plugins |
| Vulnerable Domains | 405 live websites (91% of Cubewp Framework install base) |
| Vulnerable Versions |
|
| Vulnerable Versions Count | 13 versions ( 93% of all versions) |
Common Weakness Enumeration
CWE-200 Exposure of Sensitive Information to an Unauthorized ActorDetails
- Published - Jan 17, 2026
- Updated - Jan 20, 2026
Credits
- Jonas Benjamin Friedli (finder)
CVE References
CWE References
CWE
Website Distribution by Country
Number of websites using CVE-2025-12129 United States | 146 websites |
 Germany | 34 websites |
 Cyprus | 25 websites |
 GB | 23 websites |
 France | 15 websites |
 South Africa | 14 websites |
 Australia | 13 websites |
 Canada | 13 websites |
 Spain | 11 websites |
 India | 10 websites |
Website Distribution by TLD
Number of websites using CVE-2025-12129| .com | 220 websites |
| .org | 16 websites |
| .net | 16 websites |
| .de | 12 websites |
| .co.uk | 9 websites |
| .com.au | 8 websites |
| .pl | 7 websites |
| .it | 6 websites |
| .ca | 5 websites |
| .fr | 4 websites |
Vulnerable Versions
Vulnerable versions are highlighted in redWebsites affected by CVE-2025-12129
Top websites that are affected by CVE-2025-12129. Please click on the "Contact us" link to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| ************************.org |  Singapore | ***,*** | |
| *******.com | Germany | ***,*** | |
| **********.***.au | Australia | *,***,*** | |
| *************.com | United States | *,***,*** | |
| ********.com | United States | *,***,*** | |
| **********.**.za | South Africa | *,***,*** | |
| ********.**.za | South Africa | *,***,*** | |
| ************.com | United States | *,***,*** | |
| ***************.com | United States | *,***,*** | |
| ******.fr | France | *,***,*** |
FAQ
CVE-2025-12129 is Exposure of Sensitive Information to an Unauthorized Actor in Cubewp Framework
A total of 405 websites have been identified as vulnerable to CVE-2025-12129, based on global website indexing conducted by WebTechSurvey.
The Cubewp Framework is affected by the CVE-2025-12129 vulnerability.
Cubewp Framework versions up to and including 1.1.27 are vulnerable to CVE-2025-12129.