CVE-2025-13374
Unknown Unknown - Not Provided
Arbitrary File Upload in Kalrav AI Agent Plugin Enables RCE

Publication date: 2026-01-24

Last updated on: 2026-01-24

Assigner: Wordfence

Description
The Kalrav AI Agent plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the kalrav_upload_file AJAX action in all versions up to, and including, 2.3.3. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-24
Last Modified
2026-01-24
Generated
2026-06-16
AI Q&A
2026-01-24
EPSS Evaluated
2026-06-14
NVD
CVE-2025-13374
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
kalrav kalrav_ai_agent to 2.3.3 (inc)
kalrav kalrav_ai_agent 3.0.2
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-434 The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The Kalrav AI Agent plugin for WordPress has a vulnerability that allows unauthenticated attackers to upload arbitrary files to the server because it lacks proper file type validation in the kalrav_upload_file AJAX action. This means attackers can potentially upload malicious files, which could lead to remote code execution on the affected site.

Compliance Impact

The vulnerability allows unauthenticated attackers to upload arbitrary files to the affected WordPress site, potentially leading to remote code execution. This could result in unauthorized access to sensitive data or disruption of services, which may violate compliance requirements under standards like GDPR or HIPAA that mandate protection of personal and health information. Therefore, exploitation of this vulnerability could negatively impact compliance with such regulations by compromising data confidentiality, integrity, and availability.

Impact Analysis

This vulnerability can allow attackers to upload malicious files to your WordPress server without authentication. This can lead to remote code execution, meaning attackers could run arbitrary code on your server, potentially compromising your website, stealing data, defacing the site, or using your server for further attacks.

Detection Guidance

You can detect this vulnerability by checking if your WordPress site is running the Kalrav AI Agent plugin version 2.3.3 or earlier. Since the vulnerability involves the kalrav_upload_file AJAX action allowing arbitrary file uploads without file type validation, you can attempt to detect suspicious POST requests to the AJAX endpoint handling kalrav_upload_file. For example, monitoring web server logs or using tools like curl to test the upload endpoint for acceptance of arbitrary file types. A sample command to test might be: curl -X POST -F 'file=@/path/to/testfile.php' https://yourwordpresssite.com/wp-admin/admin-ajax.php?action=kalrav_upload_file -v. Additionally, monitoring for unexpected file uploads in the plugin's upload directories or scanning for newly added PHP or executable files can help detect exploitation attempts.

Mitigation Strategies

The immediate mitigation step is to update the Kalrav AI Agent plugin to a version later than 2.3.3 where the arbitrary file upload vulnerability is fixed. If an update is not immediately available, you should disable or restrict access to the kalrav_upload_file AJAX action to prevent unauthenticated file uploads. This can be done by restricting access to admin-ajax.php or implementing additional server-side validation or firewall rules to block suspicious requests targeting this action. Additionally, review and remove any suspicious files that may have been uploaded and monitor your site for signs of compromise.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-13374. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart