CVE-2025-13374: Arbitrary File Upload in The Kalrav AI Agent plugin for WordPress

This critical-severity vulnerability (CVSS 9.8) allows attackers to upload arbitrary files to a WordPress site using the Kalrav AI Agent plugin. Such an exploit can lead to complete website takeover, including data theft and system compromise.

Consider a package delivery service that has no security checks on incoming parcels; anyone can send a package containing anything, even dangerous items, directly into your home. In this case, the plugin fails to properly vet files uploaded by users. An attacker can leverage this oversight to upload malicious scripts or executables onto the server. Once uploaded, these files can be run, giving the attacker control over the entire WordPress installation.

CVE-2025-13374 - Critical Vulnerability - TheHackerWire - Featured Image

TLDR

TheHackerWire reports on a critical vulnerability, CVE-2025-13374, affecting the Kalrav AI Agent plugin for WordPress. This vulnerability allows for arbitrary file uploads due to a lack of file type validation, potentially leading to remote code execution. With a CVSS score of 9.8, it is rated as critical and can result in full system compromise, data theft, or malware installation. To mitigate this risk, apply the latest security patches, check official advisories, update the affected software, and monitor systems for exploitation.