CVE-2025-13597 is a critical security vulnerability classified under CWE-434 (Unrestricted Upload of File with Dangerous Type) affecting the AI Feeds plugin for WordPress developed by soportecibeles. The vulnerability exists in the 'actualizador_git.php' file, which lacks proper capability checks to restrict access. This flaw allows unauthenticated attackers to exploit the plugin by uploading arbitrary files, specifically by downloading arbitrary GitHub repositories and overwriting existing plugin files on the affected server. This can lead to remote code execution (RCE), enabling attackers to execute malicious code with the privileges of the web server user. The vulnerability affects all versions up to and including 1.0.11. The CVSS v3.1 base score is 9.8, indicating a critical severity with network attack vector, low attack complexity, no privileges required, and no user interaction needed. The impact on confidentiality, integrity, and availability is high, as attackers can fully compromise the affected WordPress site. Although no known exploits have been reported in the wild yet, the ease of exploitation and potential damage make this a significant threat. The vulnerability highlights the risk of insufficient access control in plugin update mechanisms, which can be leveraged to compromise WordPress installations widely used across the internet.

The impact of CVE-2025-13597 is severe for organizations running WordPress sites with the AI Feeds plugin installed. Successful exploitation can lead to full site compromise through remote code execution, allowing attackers to execute arbitrary commands, install backdoors, steal sensitive data, deface websites, or use the compromised server as a pivot point for further attacks. This can result in data breaches, loss of customer trust, service downtime, and potential regulatory penalties. Since the vulnerability requires no authentication or user interaction, it can be exploited at scale by automated attacks, increasing the risk of widespread compromise. Organizations relying on WordPress for business-critical applications or e-commerce are particularly vulnerable. The ability to overwrite plugin files also means attackers can maintain persistence and evade detection by modifying legitimate plugin code. The lack of a patch at the time of disclosure further exacerbates the risk, necessitating immediate mitigation steps.

To mitigate CVE-2025-13597, organizations should immediately restrict access to the 'actualizador_git.php' file by implementing web server rules (e.g., using .htaccess or equivalent) to block all external requests to this script until a vendor patch is released. Monitoring web server logs for suspicious access attempts to this file can help detect exploitation attempts. Administrators should also review file integrity of the AI Feeds plugin directory to identify unauthorized changes. Once the vendor releases a patch, it must be applied promptly to enforce proper capability checks. Additionally, organizations should follow WordPress security best practices such as running the latest WordPress core and plugins, limiting plugin usage to trusted sources, and employing web application firewalls (WAFs) to block malicious requests. Regular backups and incident response plans should be in place to recover quickly from potential compromises. Network segmentation and least privilege principles for web server accounts can further reduce the impact of exploitation.