Description
The CIBELES AI plugin for WordPress is vulnerable to arbitrary file uploads due to missing capability check in the 'actualizador_git.php' file in all versions up to, and including, 1.10.8. This makes it possible for unauthenticated attackers to download arbitrary GitHub repositories and overwrite plugin files on the affected site's server which may make remote code execution possible.
Published: 2025-11-25
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

The CIBELES AI WordPress plugin contains an unchecked file‑upload endpoint that allows any visitor to upload arbitrary files, a weakness classified as CWE‑434. Because the plugin can download any GitHub repository and overwrite its own files, an attacker could inject malicious PHP code to gain full control of the site, exfiltrate data, and establish persistence.

Affected Systems

WordPress sites that have installed the CIBELES AI plugin version 1.10.8 or earlier, supplied by the vendor soportecibeles, are affected. These legacy versions are still deployed on many production sites.

Risk and Exploitability

The CVSS score of 9.8 categorizes this defect as Critical, while the EPSS score of less than 1% indicates a low current exploitation probability. The vulnerability can be leveraged by unauthenticated users; if exploited, remote code execution is possible. The plugin is not listed in CISA’s KEV catalog, but the severity warrants high‑priority attention.

Generated by OpenCVE AI on April 21, 2026 at 17:57 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the CIBELES AI plugin to the latest version that includes the missing capability check; if no update is available, uninstall the plugin entirely.
  • Configure the web server or .htaccess file to block direct access to actualizador_git.php or require authentication for that endpoint to prevent unauthorized uploads.
  • Implement a file‑type validation policy that accepts only trusted file types for WordPress uploads and monitor the plugin directory for unexpected changes to detect possible exploitation attempts.

Generated by OpenCVE AI on April 21, 2026 at 17:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 27 Nov 2025 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Wed, 26 Nov 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 25 Nov 2025 22:45:00 +0000

Type Values Removed Values Added
Description The CIBELES AI plugin for WordPress is vulnerable to arbitrary file uploads due to missing capability check in the 'actualizador_git.php' file in all versions up to, and including, 1.10.8. This makes it possible for unauthenticated attackers to download arbitrary GitHub repositories and overwrite plugin files on the affected site's server which may make remote code execution possible.
Title CIBELES AI <= 1.10.8 - Unauthenticated Arbitrary File Upload
Weaknesses CWE-434
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:16:50.477Z

Reserved: 2025-11-24T07:27:39.142Z

Link: CVE-2025-13595

cve-icon Vulnrichment

Updated: 2025-11-26T14:54:20.579Z

cve-icon NVD

Status : Deferred

Published: 2025-11-25T23:15:46.213

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-13595

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T18:00:11Z

Weaknesses