A critical vulnerability exists in the CIBELES AI plugin for WordPress that allows unauthenticated attackers to upload arbitrary files and potentially execute code on the server. This flaw could lead to a complete compromise of the affected website, resulting in data theft, service disruption, and further network intrusion. Immediate patching is required to mitigate this high-risk vulnerability.

The vulnerability is located in the 'actualizador_git.php' file, which fails to perform a proper capability or authentication check. This allows any unauthenticated user to access its functionality. An attacker can exploit this by sending a crafted request to the file, instructing the plugin to download and extract a ZIP archive from an arbitrary GitHub repository, which will then overwrite the plugin's existing files. By hosting a malicious repository containing a PHP webshell or other backdoors, an attacker can achieve remote code execution (RCE) and gain full control over the web server.

This vulnerability is rated as critical severity with a CVSS score of 9.8. Successful exploitation could result in a complete compromise of the web server hosting the WordPress site. Potential consequences include the theft of sensitive data (customer information, payment details, intellectual property), website defacement, loss of service, and significant reputational damage. The compromised server could also be used as a pivot point to launch further attacks against the internal network or be co-opted into a botnet for malicious activities like spamming or DDoS attacks.

Immediate Action: Update the CIBELES AI plugin for WordPress to the latest version provided by the vendor, which addresses this vulnerability. After patching, it is crucial to monitor for any signs of prior exploitation by reviewing web server access logs and checking for unauthorized or suspicious files within the plugin's directory.

Proactive Monitoring: Security teams should monitor for direct HTTP POST requests to the /wp-content/plugins/cibeles-ai/includes/actualizador_git.php file. Look for unusual outbound network traffic from the web server, especially to GitHub. Implement file integrity monitoring (FIM) to detect unauthorized changes to the CIBELES AI plugin files or any other core WordPress files.

Compensating Controls: If immediate patching is not feasible, consider these temporary measures:

• Use a Web Application Firewall (WAF) to create a rule that blocks all access to the actualizador_git.php file.
• Disable the CIBELES AI plugin entirely until a patch can be applied.
• If server access is available, remove execute permissions on the actualizador_git.php file or deny access to it via server configuration rules (e.g., in .htaccess).

Public Exploit Available: false

Given the critical CVSS score of 9.8 and the potential for a full, unauthenticated system compromise, this vulnerability represents a severe risk to the organization. We strongly recommend that the patch be applied immediately across all affected WordPress instances. Although this CVE is not currently listed on the CISA KEV catalog, its characteristics make it a prime target for opportunistic and sophisticated attackers. Treat this vulnerability with the highest priority.