CVE-2025-13374: The Kalrav AI Agent plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in
criticalvulnerability
security
Summary
The Kalrav AI Agent plugin for WordPress (versions up to 2.3.3) has a vulnerability in its file upload feature that fails to check what type of file is being uploaded. This allows attackers without user accounts to upload malicious files to the server, potentially leading to RCE (remote code execution, where an attacker can run commands on a system they don't own).
Vulnerability Details
CVSS Score
9.8(critical)
EPSS (30-day exploit probability)
EPSS: 0.1%
Classification
Attack Type
Supply Chain
Attack SophisticationTrivial
Impact (CIA+S)
integrityavailability
Affected Vendors
Related Issues
Original source: https://nvd.nist.gov/vuln/detail/CVE-2025-13374
First tracked: February 15, 2026 at 08:53 PM
Classified by LLM (prompt v3) · confidence: 92%