Arbitrary File Upload Vulnerability in CIBELES AI Plugin for WordPress
CVE-2025-13595

9.8CRITICAL

Key Information:

Vendor: WordPress
Status: Cibeles Ai
Vendor: CVE Published:; 25 November 2025

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2025-13595?

The CIBELES AI plugin for WordPress contains a vulnerability that allows attackers to upload arbitrary files. This issue stems from a missing capability check in the 'actualizador_git.php' file, affecting all versions up to and including 1.10.8. As a result, unauthenticated users can exploit this gap, potentially downloading unauthorized GitHub repositories and overwriting existing plugin files on the server. This vulnerability poses a risk of remote code execution, highlighting the importance of maintaining updated and secure plugins.

Affected Version(s)

CIBELES AI * <= 1.10.8

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2025-13595
Created by d0n601

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/cibeles-ai/tru...

https://plugins.trac.wordpress.org/changeset/3402311/cibe...

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

🟡
Public PoC available
Nov 26, 2025
👾
Exploit known to exist
Nov 26, 2025
Vulnerability published
Nov 25, 2025
Vulnerability Reserved
Nov 24, 2025

Credit

Ryan Kozak

JSON