Description
The AI Feeds plugin for WordPress is vulnerable to arbitrary file uploads due to missing capability check in the 'actualizador_git.php' file in all versions up to, and including, 1.0.11. This makes it possible for unauthenticated attackers to download arbitrary GitHub repositories and overwrite plugin files on the affected site's server which may make remote code execution possible.
Published: 2025-11-25
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution via File Upload
Action: Immediate Patch
AI Analysis

Impact

The AI Feeds plugin for WordPress suffers from an unauthenticated file‑upload flaw exposed through the actualizador_git.php endpoint. Because the code omits a capability check, any visitor can cause the plugin to download arbitrary GitHub repositories and overwrite plugin files on the server. If an attacker replaces a plugin file with malicious code, remote execution is possible. The flaw is a classic example of CWE‑434, an unrestricted upload of a dangerous type.

Affected Systems

All installations of AI Feeds version 1.0.11 and earlier, distributed by soportecibeles, are affected. Any WordPress site that has not upgraded or disabled the plugin is vulnerable, regardless of additional configuration.

Risk and Exploitability

The CVSS score of 9.8 indicates a critical severity, while the EPSS score of less than 1% points to a low but non‑zero exploitation probability. The vulnerability is not listed in CISA’s KEV catalog, so no widespread exploitation is currently reported. Attackers can exploit the flaw over HTTP without authentication and overwrite plugin files, potentially delivering arbitrary code.

Generated by OpenCVE AI on April 21, 2026 at 01:17 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the AI Feeds plugin to the latest release where the upload restriction has been corrected.
  • If upgrading is not immediately possible, delete or deactivate the AI Feeds plugin to remove the vulnerable code from the site.
  • Configure web security controls (e.g., a WAF or security plugin) to block unauthenticated file uploads and harden file‑write permissions for the plugin directory.

Generated by OpenCVE AI on April 21, 2026 at 01:17 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 27 Nov 2025 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Wed, 26 Nov 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 25 Nov 2025 22:45:00 +0000

Type Values Removed Values Added
Description The AI Feeds plugin for WordPress is vulnerable to arbitrary file uploads due to missing capability check in the 'actualizador_git.php' file in all versions up to, and including, 1.0.11. This makes it possible for unauthenticated attackers to download arbitrary GitHub repositories and overwrite plugin files on the affected site's server which may make remote code execution possible.
Title AI Feeds <= 1.0.11 - Unauthenticated Arbitrary File Upload
Weaknesses CWE-434
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:20:47.429Z

Reserved: 2025-11-24T07:35:20.877Z

Link: CVE-2025-13597

cve-icon Vulnrichment

Updated: 2025-11-26T14:54:54.988Z

cve-icon NVD

Status : Deferred

Published: 2025-11-25T23:15:47.377

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-13597

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T01:30:24Z

Weaknesses