AI Threat Alert

CVE-2025-13374: Kalrav: Arbitrary File Upload enables RCE

CRITICAL PoC AVAILABLE CISA: TRACK*
Published January 24, 2026
CISO Take

CVE-2025-13374 is a critical unauthenticated RCE vulnerability in the Kalrav AI Agent WordPress plugin — any site running version ≤2.3.3 is fully exposed with zero prerequisites for exploitation. An attacker can upload a PHP web shell and achieve full server compromise in under five minutes, with a public PoC already available on GitHub. Immediately disable or remove the plugin; if the server has been internet-exposed since January 2025, treat it as potentially compromised and rotate all AI API keys stored on that host.

What is the risk?

CRITICAL. CVSS 9.8 with network-accessible, zero-authentication, zero-interaction exploitation. The plugin's AJAX handler accepts file uploads without any type or extension validation, meaning any unauthenticated HTTP POST can plant executable code on the server. Exposure is every public-facing WordPress site with the plugin installed — no scanning, fingerprinting, or credential acquisition needed. A working PoC (github.com/d0n601/CVE-2025-13374) is already public, making mass exploitation by unsophisticated attackers highly likely.

How severe is it?

CVSS 3.1
9.8 / 10
EPSS
1.1%
chance of exploitation in 30 days
Higher than 60% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR None
UI None
S Unchanged
C High
I High
A High

What should I do?

7 steps

  1. IMMEDIATE

    Enumerate all WordPress installations with kalrav-ai-agent plugin ≤2.3.3 across your environment.

  2. DISABLE or REMOVE the plugin — no patch is available; do not wait.

  3. SCAN webroot and upload directories for recently created .php, .phtml, .phar, or .cgi files (check last 60 days minimum).

  4. AUDIT server logs for POST requests to wp-admin/admin-ajax.php with action=kalrav_upload_file — any hit is a confirmed exploitation attempt.

  5. ROTATE all AI API keys stored on the affected server (OpenAI, Anthropic, database credentials, Stripe keys).

  6. If compromise is confirmed, treat server as fully owned and perform fresh OS-level deployment.

  7. As a temporary WAF control if removal is not immediately possible, block multipart/form-data POST requests to the vulnerable AJAX action endpoint.

What does CISA's SSVC say?

Decision Track*
Exploitation none
Automatable Yes
Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Code Execution Auth Bypass Data Extraction Plugin Agent API AML.T0010.001 AML.T0037 AML.T0049 AML.T0050 AML.T0053 AML.T0072 AML.T0081 AML.T0083

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness and cybersecurity
ISO 42001
A.6.2 - AI system security A.6.2.6 - AI system security and resilience A.8.4 - AI system acquisition, development and maintenance
NIST AI RMF
MANAGE 2.2 - Mechanisms are in place to respond to and recover from incidents MANAGE-2.2 - Mechanisms are in place and applied to sustain the value of deployed AI systems MAP 2.1 - Scientific findings and organizational risks are identified and used
OWASP LLM Top 10
LLM07 - Insecure Plugin Design LLM08 - Excessive Agency

Frequently Asked Questions

What is CVE-2025-13374?

CVE-2025-13374 is a critical unauthenticated RCE vulnerability in the Kalrav AI Agent WordPress plugin — any site running version ≤2.3.3 is fully exposed with zero prerequisites for exploitation. An attacker can upload a PHP web shell and achieve full server compromise in under five minutes, with a public PoC already available on GitHub. Immediately disable or remove the plugin; if the server has been internet-exposed since January 2025, treat it as potentially compromised and rotate all AI API keys stored on that host.

Is CVE-2025-13374 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2025-13374, increasing the risk of exploitation.

How to fix CVE-2025-13374?

1. IMMEDIATE: Enumerate all WordPress installations with kalrav-ai-agent plugin ≤2.3.3 across your environment. 2. DISABLE or REMOVE the plugin — no patch is available; do not wait. 3. SCAN webroot and upload directories for recently created .php, .phtml, .phar, or .cgi files (check last 60 days minimum). 4. AUDIT server logs for POST requests to wp-admin/admin-ajax.php with action=kalrav_upload_file — any hit is a confirmed exploitation attempt. 5. ROTATE all AI API keys stored on the affected server (OpenAI, Anthropic, database credentials, Stripe keys). 6. If compromise is confirmed, treat server as fully owned and perform fresh OS-level deployment. 7. As a temporary WAF control if removal is not immediately possible, block multipart/form-data POST requests to the vulnerable AJAX action endpoint.

What systems are affected by CVE-2025-13374?

This vulnerability affects the following AI/ML architecture patterns: WordPress AI agent deployments, Plugin-based AI chatbot integrations, Web-hosted model inference frontends, AI agent frameworks with web interfaces, Server-side RAG pipelines accessible from compromised WordPress host.

What is the CVSS score for CVE-2025-13374?

CVE-2025-13374 has a CVSS v3.1 base score of 9.8 (CRITICAL). The EPSS exploitation probability is 1.06%.

What is the AI security impact?

Affected AI Architectures

WordPress AI agent deploymentsPlugin-based AI chatbot integrationsWeb-hosted model inference frontendsAI agent frameworks with web interfacesServer-side RAG pipelines accessible from compromised WordPress host

MITRE ATLAS Techniques

AML.T0010.001 AI Software
AML.T0037 Data from Local System
AML.T0049 Exploit Public-Facing Application
AML.T0050 Command and Scripting Interpreter
AML.T0053 AI Agent Tool Invocation
AML.T0072 Reverse Shell
AML.T0081 Modify AI Agent Configuration
AML.T0083 Credentials from AI Agent Configuration

Compliance Controls Affected

EU AI Act: Article 15
ISO 42001: A.6.2, A.6.2.6, A.8.4
NIST AI RMF: MANAGE 2.2, MANAGE-2.2, MAP 2.1
OWASP LLM Top 10: LLM07, LLM08

What are the technical details?

Original Advisory

The Kalrav AI Agent plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the kalrav_upload_file AJAX action in all versions up to, and including, 2.3.3. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.

Exploitation Scenario

An adversary uses WPScan or Shodan to identify WordPress sites running the Kalrav AI Agent plugin. With a single unauthenticated HTTP POST to /wp-admin/admin-ajax.php?action=kalrav_upload_file, they upload a PHP web shell — no extension validation means any filename works. They browse to the uploaded file URL to gain interactive command execution. Within minutes they extract OpenAI/Anthropic API keys from wp-config.php and server environment variables, dump the WordPress database for user PII, establish persistence via a cron-based reverse shell, and pivot to internal AI services reachable from the server. The full chain requires no credentials, no AI/ML knowledge, and under five minutes of effort.

Weaknesses (CWE)

CWE-434 Unrestricted Upload of File with Dangerous Type Primary

CWE-434 — Unrestricted Upload of File with Dangerous Type: The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

  • [Architecture and Design] Generate a new, unique filename for an uploaded file instead of using the user-supplied filename, so that no external input is used at all.[REF-422] [REF-423]
  • [Architecture and Design] When the set of acceptable objects, such as filenames or URLs, is limited or known, create a mapping from a set of fixed input values (such as numeric IDs) to the actual filenames or URLs, and reject all other inputs.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

Timeline

Published
January 24, 2026
Last Modified
April 15, 2026
First Seen
January 24, 2026

Related Vulnerabilities

CRITICAL CVE-2023-3765 10.0

MLflow: path traversal allows arbitrary file read

Same attack type: Data Extraction
CRITICAL CVE-2025-5120 10.0

smolagents: sandbox escape enables unauthenticated RCE

Same attack type: Code Execution
CRITICAL CVE-2025-2828 10.0

LangChain RequestsToolkit: SSRF exposes cloud metadata

Same attack type: Data Extraction
CRITICAL CVE-2025-53767 10.0

Azure OpenAI: SSRF EoP, no auth required (CVSS 10)

Same attack type: Data Extraction
CRITICAL CVE-2025-59528 10.0

Flowise: Unauthenticated RCE via MCP config injection

Same attack type: Code Execution
Back to Threat Feed