CVE-2025-13374
Arbitrary File Upload in Kalrav AI Agent Plugin Enables RCE
Publication date: 2026-01-24
Last updated on: 2026-01-24
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Affected Vendors & Products
| Vendor | Product | Version |
|---|---|---|
| kalrav | kalrav_ai_agent | to 2.3.3 (inc) |
| kalrav | kalrav_ai_agent | 3.0.2 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-434 | The product allows the upload or transfer of dangerous file types that are automatically processed within its environment. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows unauthenticated attackers to upload arbitrary files to the affected WordPress site, potentially leading to remote code execution. This could result in unauthorized access to sensitive data or disruption of services, which may violate compliance requirements under standards like GDPR or HIPAA that mandate protection of personal and health information. Therefore, exploitation of this vulnerability could negatively impact compliance with such regulations by compromising data confidentiality, integrity, and availability.
Can you explain this vulnerability to me?
The Kalrav AI Agent plugin for WordPress has a vulnerability that allows unauthenticated attackers to upload arbitrary files to the server because it lacks proper file type validation in the kalrav_upload_file AJAX action. This means attackers can potentially upload malicious files, which could lead to remote code execution on the affected site.
How can this vulnerability impact me? :
This vulnerability can allow attackers to upload malicious files to your WordPress server without authentication. This can lead to remote code execution, meaning attackers could run arbitrary code on your server, potentially compromising your website, stealing data, defacing the site, or using your server for further attacks.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
You can detect this vulnerability by checking if your WordPress site is running the Kalrav AI Agent plugin version 2.3.3 or earlier. Since the vulnerability involves the kalrav_upload_file AJAX action allowing arbitrary file uploads without file type validation, you can attempt to detect suspicious POST requests to the AJAX endpoint handling kalrav_upload_file. For example, monitoring web server logs or using tools like curl to test the upload endpoint for acceptance of arbitrary file types. A sample command to test might be: curl -X POST -F 'file=@/path/to/testfile.php' https://yourwordpresssite.com/wp-admin/admin-ajax.php?action=kalrav_upload_file -v. Additionally, monitoring for unexpected file uploads in the plugin's upload directories or scanning for newly added PHP or executable files can help detect exploitation attempts.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to update the Kalrav AI Agent plugin to a version later than 2.3.3 where the arbitrary file upload vulnerability is fixed. If an update is not immediately available, you should disable or restrict access to the kalrav_upload_file AJAX action to prevent unauthenticated file uploads. This can be done by restricting access to admin-ajax.php or implementing additional server-side validation or firewall rules to block suspicious requests targeting this action. Additionally, review and remove any suspicious files that may have been uploaded and monitor your site for signs of compromise.