CVE-2025-13597 in AI Feeds Plugin
Summary
by MITRE • 11/26/2025
The AI Feeds plugin for WordPress is vulnerable to arbitrary file uploads due to missing capability check in the 'actualizador_git.php' file in all versions up to, and including, 1.0.11. This makes it possible for unauthenticated attackers to download arbitrary GitHub repositories and overwrite plugin files on the affected site's server which may make remote code execution possible.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 11/27/2025
The CVE-2025-13597 vulnerability affects the AI Feeds plugin for WordPress, specifically targeting versions up to and including 1.0.11. This security flaw stems from a critical missing capability check within the 'actualizador_git.php' file, creating a pathway for unauthorized exploitation. The vulnerability exists in the plugin's file upload functionality, which should require proper authentication and authorization before allowing file operations to proceed. The absence of these security controls enables malicious actors to bypass normal access restrictions and execute potentially dangerous operations on the affected WordPress installation.
The technical implementation of this vulnerability allows attackers to leverage the plugin's legitimate repository download capabilities for malicious purposes. When an attacker accesses the vulnerable endpoint, they can specify arbitrary GitHub repository URLs and trigger the download process without proper authentication. This functionality was intended for authorized users to update plugin components, but the missing capability validation means any unauthenticated user can exploit this mechanism. The downloaded content can then overwrite existing plugin files, potentially replacing legitimate code with malicious payloads that could execute arbitrary code on the target server.
The operational impact of this vulnerability extends beyond simple file replacement, as it creates a potential remote code execution vector that could compromise the entire WordPress installation. Attackers who successfully exploit this vulnerability can gain control over the affected server, potentially leading to data breaches, website defacement, or the use of the compromised server for further attacks. The vulnerability affects the core plugin functionality and can result in persistent access for attackers who maintain their malicious payloads across system reboots or updates. This makes the vulnerability particularly dangerous as it can establish long-term presence within the target environment.
Security professionals should immediately implement mitigations including disabling the vulnerable plugin functionality, implementing proper authentication controls, and applying patches once available. The vulnerability aligns with CWE-863, which addresses incorrect authorization scenarios where an attacker can perform actions they should not be permitted to execute. From an attacker perspective, this vulnerability maps to ATT&CK technique T1190, which involves exploitation of remote services through unauthenticated access. Organizations should also consider implementing network-based controls such as web application firewalls to detect and block malicious requests targeting the vulnerable endpoint. Regular security audits of WordPress plugins should include verification of capability checks and proper access control implementations to prevent similar vulnerabilities from being introduced in the future.