Arbitrary File Upload Vulnerability in Kalrav AI Agent Plugin for WordPress
CVE-2025-13374

9.8CRITICAL

Key Information:

Vendor: WordPress
Status: Kalrav Ai Agent
Vendor: CVE Published:; 24 January 2026

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2025-13374?

The Kalrav AI Agent plugin for WordPress suffers from a serious security flaw that allows unauthenticated users to upload arbitrary files to the server. This vulnerability arises from inadequate file type validation in the 'kalrav_upload_file' AJAX action, affecting all versions through 2.3.3. Successful exploitation can lead to potential remote code execution, posing a significant risk to the integrity and confidentiality of the affected site. Site administrators are strongly advised to update to the latest version immediately to mitigate potential threats.

Affected Version(s)

Kalrav AI Agent 0 <= 2.3.3

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2025-13374
Created by boroeurnprach

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/kalrav-ai-agen...

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

🟡
Public PoC available
Jan 25, 2026
👾
Exploit known to exist
Jan 25, 2026
Vulnerability published
Jan 24, 2026
Vulnerability Reserved
Nov 18, 2025

Credit

Ryan Kozak

CVE-2025-13374 Data

JSON