CVE-2025-13374 — AI Deep Analysis Summary

🚨 **Essence**: Arbitrary File Upload via missing validation in `kalrav_upload_file` AJAX action. 💥 **Consequences**: Leads to Remote Code Execution (RCE).…

🛡️ **Root Cause**: CWE-434 (Unrestricted Upload of File with Dangerous Type). The plugin fails to validate file types during the upload process, allowing dangerous extensions.

📦 **Affected**: WordPress Plugin **Kalrav AI Agent**. **Versions**: 2.3.3 and earlier. **Vendor**: irisideatechsolutions.

🔓 **Privileges**: Unauthenticated access required. 📂 **Data**: Full server control via RCE. High impact on Confidentiality, Integrity, and Availability (CVSS: 9.8).

⚡ **Threshold**: LOW. No authentication (PR:N) or user interaction (UI:N) needed. Network accessible (AV:N) with Low complexity (AC:L). Easy to exploit.

🔍 **Exploit**: YES. Public PoC available on GitHub (d0n601/CVE-2025-13374). Active exploitation is likely given the low barrier to entry.

🔎 **Self-Check**: Scan for `kalrav-ai-agent.php` version <= 2.3.3. Check if the `kalrav_upload_file` AJAX endpoint exists and lacks file type validation logic.

🛠️ **Fix**: Update to the latest version of Kalrav AI Agent. Check vendor release notes for patched versions. Official references provided in WordFence and WP Trac.

🚧 **Workaround**: Disable the plugin if not needed. Implement WAF rules to block requests to `kalrav_upload_file` AJAX action. Restrict file upload types at the server level.

🔥 **Urgency**: CRITICAL. CVSS 9.8 + Unauthenticated + Public PoC = Immediate action required. Patch or mitigate within 24-48 hours.