Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
9.8
CVE-2025-13595: CIBELES AI plugin allows unauthorized access to WordPress server
CVE-2025-13595
Summary
An attacker can download and change files on a WordPress site using the CIBELES AI plugin, which could lead to unauthorized control of the site. This is a problem for site owners who use the plugin, as it could give attackers the ability to make changes without permission. To protect your site, update the CIBELES AI plugin to the latest version or remove it if you no longer need it.
Original title
The CIBELES AI plugin for WordPress is vulnerable to arbitrary file uploads due to missing capability check in the 'actualizador_git.php' file in all versions up to, and including, 1.10.8. This mak...
Original description
The CIBELES AI plugin for WordPress is vulnerable to arbitrary file uploads due to missing capability check in the 'actualizador_git.php' file in all versions up to, and including, 1.10.8. This makes it possible for unauthenticated attackers to download arbitrary GitHub repositories and overwrite plugin files on the affected site's server which may make remote code execution possible.
nvd CVSS3.1
9.8
Vulnerability type
CWE-434
Unrestricted File Upload
- https://github.com/d0n601/CVE-2025-13595
- https://plugins.trac.wordpress.org/browser/cibeles-ai/trunk/actualizador_git.php...
- https://plugins.trac.wordpress.org/changeset/3402311/cibeles-ai
- https://ryankozak.com/posts/cve-2025-13595/
- https://www.wordfence.com/threat-intel/vulnerabilities/id/b3e89a1c-7606-4391-a38...
Published: 25 Nov 2025 · Updated: 15 Jun 2026 · First seen: 7 Mar 2026