CVE-2025-13374 is a critical security vulnerability identified in the Kalrav AI Agent plugin for WordPress, affecting all versions up to and including 2.3.3. The root cause is the lack of file type validation in the kalrav_upload_file AJAX action, which allows unauthenticated attackers to upload arbitrary files to the web server hosting the vulnerable WordPress site. This vulnerability is classified under CWE-434 (Unrestricted Upload of File with Dangerous Type). Because the upload mechanism does not restrict file types, attackers can upload malicious scripts or executable files, potentially leading to remote code execution (RCE). The vulnerability requires no authentication or user interaction, making it trivially exploitable over the network. The CVSS v3.1 base score is 9.8, indicating critical severity with network attack vector, low attack complexity, no privileges required, and no user interaction needed. The impact includes full compromise of the affected system's confidentiality, integrity, and availability. Although no public exploits are currently known, the vulnerability's characteristics make it a prime target for attackers seeking to gain unauthorized control over WordPress sites. The absence of available patches at the time of disclosure necessitates immediate mitigation efforts by site administrators. This vulnerability poses a significant risk to any organization using the Kalrav AI Agent plugin, especially those with public-facing WordPress installations.

The impact of CVE-2025-13374 is severe and multifaceted. Successful exploitation allows attackers to upload arbitrary files, including web shells or other malicious payloads, enabling remote code execution on the affected server. This can lead to full system compromise, data theft, defacement, or use of the server as a pivot point for further attacks within the network. Confidentiality is compromised as attackers can access sensitive data stored on the server. Integrity is at risk due to the potential modification or deletion of files. Availability can be disrupted if attackers deploy ransomware or launch denial-of-service attacks from the compromised server. Given the widespread use of WordPress and the plugin's presence, a large number of websites and organizations are at risk, including e-commerce sites, government portals, and corporate blogs. The lack of authentication and user interaction requirements lowers the barrier for exploitation, increasing the likelihood of attacks. Organizations may face reputational damage, regulatory penalties, and operational disruption if exploited.

1. Immediate removal or disabling of the Kalrav AI Agent plugin until a secure patched version is released. 2. Monitor web server logs for suspicious file upload attempts, especially POST requests to the kalrav_upload_file AJAX endpoint. 3. Implement web application firewall (WAF) rules to block or restrict file uploads to the vulnerable endpoint, including filtering by file extension and MIME type. 4. Restrict file permissions on upload directories to prevent execution of uploaded files. 5. Employ network segmentation to limit the impact of a compromised web server. 6. Regularly back up website data and configurations to enable recovery in case of compromise. 7. Stay informed on vendor updates and apply patches promptly once available. 8. Conduct security audits and penetration testing focused on file upload functionalities. 9. Use security plugins that enforce strict file upload validation and scanning for malicious content. 10. Educate site administrators about the risks of installing unverified plugins and the importance of timely updates.