Overview
A critical vulnerability, identified as CVE-2025-13322, has been discovered in the WP AUDIO GALLERY plugin for WordPress. This vulnerability allows authenticated attackers (subscriber-level access and above) to delete arbitrary files on the server due to insufficient file path validation. This flaw can easily lead to remote code execution by deleting critical files such as wp-config.php.
Technical Details
The vulnerability exists in all versions of the WP AUDIO GALLERY plugin up to, and including, version 2.0. The issue stems from the wpag_uploadaudio_callback() AJAX handler, which is responsible for handling audio uploads. This handler does not properly validate user-supplied file paths passed in the audio_upload parameter before using them in the unlink() function. This lack of validation allows an attacker to craft malicious requests to delete any file accessible to the web server user.
Specifically, the code at these locations is vulnerable:
CVSS Analysis
- CVE ID: CVE-2025-13322
- Severity: HIGH
- CVSS Score: 8.1
Possible Impact
The impact of this vulnerability is significant. An attacker exploiting this flaw could:
- Delete arbitrary files on the server.
- Delete
wp-config.php, leading to website compromise. - Achieve Remote Code Execution (RCE) by deleting and replacing critical files.
- Cause denial of service.
Mitigation or Patch Steps
The best course of action is to immediately:
- Update the WP Audio Gallery plugin to the latest version. If a patched version is not available, consider disabling or removing the plugin until a fix is released.
- Implement web application firewall (WAF) rules to filter malicious requests targeting the
wpag_uploadaudio_callback()AJAX handler. - Review server access logs for suspicious activity related to file deletion attempts.
