CVE-2025-13597 — AI Deep Analysis Summary

🚨 **Essence**: A critical code flaw in the **AI Feeds** WordPress plugin. <br>🔥 **Consequences**: Allows **Arbitrary File Upload**.…

🛡️ **Root Cause**: **CWE-434** (Unrestricted Upload of File with Dangerous Type). <br>❌ **Flaw**: Missing **capability checks** (authorization/validation) before processing uploads.…

📦 **Affected**: **AI Feeds** plugin by vendor **soportecibeles**. <br>📉 **Versions**: **1.0.11 and earlier**. <br>🌐 **Platform**: WordPress sites running this specific plugin version.

💀 **Attacker Actions**: <br>1️⃣ Upload **Webshells** or backdoors. <br>2️⃣ Execute **Remote Code Execution (RCE)**. <br>3️⃣ Steal sensitive **Database/Data**.…

⚡ **Threshold**: **VERY LOW**. <br>🔓 **Auth**: **Unauthenticated** (No login required). <br>🎯 **Config**: Low complexity. Any visitor can exploit this directly via the network.

💣 **Public Exploit**: **YES**. <br>🔗 **PoC Available**: GitHub repo by **d0n601** is public. <br>🌍 **Wild Exploitation**: High risk due to ease of access and public proof-of-concept.

🔍 **Self-Check**: <br>1. Scan for **AI Feeds** plugin version ≤ 1.0.11. <br>2. Check for `actualizador_git.php` endpoint exposure. <br>3. Use WAF rules to block suspicious file upload attempts to plugin directories.

🩹 **Official Fix**: **YES**. <br>📅 **Patch Date**: Released around **Nov 2025**. <br>🔗 **Reference**: WordPress Trac changeset **3402321** indicates the fix is available in newer versions.

🚧 **No Patch Workaround**: <br>1. **Deactivate** and **Delete** the AI Feeds plugin immediately. <br>2. Block upload endpoints via **WAF** or **.htaccess**. <br>3.…

🚨 **Urgency**: **CRITICAL / IMMEDIATE ACTION**. <br>⏳ **Priority**: **P0**. Unauthenticated RCE via file upload is a top-tier threat. Patch or remove the plugin **NOW** to prevent compromise.