AI Feeds

9.8 / 10

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Description

The AI Feeds plugin for WordPress is vulnerable to arbitrary file uploads due to missing capability check in the 'actualizador_git.php' file in all versions up to, and including, 1.0.11. This makes it possible for unauthenticated attackers to download arbitrary GitHub repositories and overwrite plugin files on the affected site's server which may make remote code execution possible.

AI Analysis

Unauthenticated arbitrary file upload vulnerability in AI Feeds plugin for WordPress due to missing capability check in the 'actualizador_git.php' file

Basic Information

ID CVE-2025-13597

Source Wordfence

Published Nov 25, 2025 at 22:28

Affected Product

Vendor soportecibeles

Product AI Feeds

Version *

Affected Versions soportecibeles AI Feeds *

CWE Classification

CWE-434

AI Assessment

AI Score 9.8 / 10

AI Severity Critical

Vendor soportecibeles

Product AI Feeds

Version 1.0.11

References

{
    "lastseen": "",
    "description": "The AI Feeds plugin for WordPress is vulnerable to arbitrary file uploads due to missing capability check in the 'actualizador_git.php' file in all versions up to, and including, 1.0.11. This makes it possible for unauthenticated attackers to download arbitrary GitHub repositories and overwrite plugin files on the affected site's server which may make remote code execution possible.",
    "published": "2025-11-25T22:28:37.000Z",
    "modified": "2025-11-25T22:28:37.000Z",
    "type": "cve",
    "title": "AI Feeds <= 1.0.11 - Unauthenticated Arbitrary File Upload",
    "source": "Wordfence",
    "references": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c5007dd0-a62c-4ad8-8f8b-eb3f4387c370?source=cve\nhttps://plugins.trac.wordpress.org/browser/ai-feeds/trunk/actualizador_git.php#L1\nhttps://plugins.trac.wordpress.org/changeset/3402321/ai-feeds\nhttps://github.com/d0n601/CVE-2025-13597\nhttps://ryankozak.com/posts/cve-2025-13597",
    "id": "CVE-2025-13597",
    "bulletinFamily": "",
    "cwe": [
        "CWE-434"
    ],
    "cvelist": null,
    "sourceData": "soportecibeles AI Feeds *",
    "sourceHref": "",
    "cvss": {
        "score": 9.8,
        "severity": "CRITICAL",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "AI Feeds",
    "version": "*",
    "vendor": "soportecibeles",
    "ai_description": "Unauthenticated arbitrary file upload vulnerability in AI Feeds plugin for WordPress due to missing capability check in the 'actualizador_git.php' file",
    "ai_severity": "Critical",
    "ai_vendor": "soportecibeles",
    "ai_product": "AI Feeds",
    "ai_version": "1.0.11",
    "ai_score": 9.8
}

AI Feeds <= 1.0.11 - Unauthenticated Arbitrary File Upload_CVE-2025-13597