CVE-2025-13595: 
WordPress vulnerability analysis and mitigation

The CIBELES AI WordPress plugin contains a critical vulnerability (CVE-2025-13595) discovered in versions up to and including 1.10.8. The vulnerability was disclosed on November 25, 2025, and affects the plugin's actualizador_git.php file. This security flaw allows unauthenticated attackers to perform arbitrary file uploads due to missing capability checks (NVD, Kozak Blog).

The vulnerability exists in the actualizadorgit.php file, which implements a GitHub repository mirroring system accessible via HTTP without proper security controls. The file lacks the standard WordPress ABSPATH check and accepts unvalidated parameters directly from $GET. The only validation performed is a basic token check that verifies if the token is empty or set to a default value. The vulnerability has received a CVSS v3.1 score of 9.8 CRITICAL (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is classified as CWE-434 (Unrestricted Upload of File with Dangerous Type) (NVD, Kozak Blog).

The vulnerability allows unauthenticated attackers to download arbitrary GitHub repositories and overwrite plugin files on the affected site's server. This capability can lead to remote code execution, potentially giving attackers complete control over the affected WordPress installation (NVD).

The vulnerability has been patched in version 1.10.9 of the CIBELES AI plugin, which removes the vulnerable actualizador_git.php file. Users are strongly advised to update to this version immediately (WordPress Changeset).