Overview
A critical security vulnerability, identified as CVE-2025-13597, has been discovered in the AI Feeds plugin for WordPress. This vulnerability allows unauthenticated attackers to upload arbitrary files, potentially leading to remote code execution (RCE). All versions of the AI Feeds plugin up to and including version 1.0.11 are affected. This post provides a detailed analysis of the vulnerability, its potential impact, and steps to mitigate the risk.
Technical Details
The vulnerability lies in the actualizador_git.php file of the AI Feeds plugin. Specifically, the file lacks proper capability checks, allowing unauthenticated users to trigger the functionality designed for plugin updates from GitHub repositories. By exploiting this missing authentication, attackers can download arbitrary GitHub repositories and overwrite plugin files on the affected WordPress site’s server. This effectively grants them the ability to inject malicious code and execute arbitrary commands on the server, leading to full compromise of the website. The problematic code can be reviewed on the WordPress.org plugin repository here.
CVSS Analysis
The severity of CVE-2025-13597 has been assessed as CRITICAL, with a CVSS score of 9.8. This high score reflects the ease of exploitation (unauthenticated access) and the significant impact on confidentiality, integrity, and availability. The primary attack vector is network-based, meaning attackers can exploit the vulnerability remotely without any prior privileges or user interaction. The low attack complexity further contributes to the high CVSS score.
Possible Impact
The exploitation of CVE-2025-13597 can have severe consequences, including:
- Remote Code Execution (RCE): Attackers can execute arbitrary code on the server, gaining full control of the website.
- Website Defacement: Attackers can modify the website’s content, damaging its reputation and credibility.
- Data Theft: Attackers can access sensitive data, including user credentials, financial information, and proprietary data.
- Malware Distribution: Attackers can use the compromised website to distribute malware to visitors.
- Denial of Service (DoS): Attackers can disrupt the website’s availability, preventing legitimate users from accessing it.
Mitigation or Patch Steps
The most effective way to mitigate CVE-2025-13597 is to update the AI Feeds plugin to the latest version, which includes a fix for the vulnerability. The patched version is newer than 1.0.11. Please follow these steps:
- Update the Plugin: Navigate to the “Plugins” section in your WordPress dashboard and update the AI Feeds plugin to the latest available version.
- Verify the Update: After updating, verify that the plugin version is later than 1.0.11 to ensure that the patch has been applied.
- Disable the Plugin (If Update Unavailable): If an updated version is not yet available, temporarily disable the AI Feeds plugin until a patch is released.
- Consider a Security Audit: Review your website’s security configuration and consider performing a security audit to identify and address any other potential vulnerabilities.
