CVE-2025-13597: 
WordPress vulnerability analysis and mitigation

The AI Feeds plugin for WordPress contains a critical vulnerability (CVE-2025-13597) in versions up to and including 1.0.11. The vulnerability was discovered in November 2025 and affects the actualizador_git.php file, which lacks proper authentication and authorization controls. This security flaw allows unauthenticated attackers to perform arbitrary file uploads, potentially leading to remote code execution on affected WordPress installations (NVD, Ryan Kozak).

The vulnerability stems from a missing ABSPATH check in the actualizadorgit.php file, which enables direct HTTP access without authentication. The file implements a GitHub repository mirroring system that processes user input from $GET parameters without proper validation. The CVSS v3.1 score is 9.8 CRITICAL (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating the severity of the vulnerability. The flaw is classified as CWE-434 (Unrestricted Upload of File with Dangerous Type) (NVD, Ryan Kozak).

The vulnerability allows unauthenticated attackers to download arbitrary GitHub repositories and overwrite plugin files on the affected site's server. This capability can lead to remote code execution, giving attackers complete control over the affected WordPress installation. The high CVSS score reflects the critical nature of this vulnerability, as it requires no user interaction and can be exploited remotely (NVD).

The vulnerability has been patched in version 1.0.12 of the AI Feeds plugin. The fix involves removing the vulnerable actualizador_git.php file that was directly accessible. Website administrators are strongly advised to update to version 1.0.12 immediately (WordPress Changeset).