Overview
A high-severity security vulnerability, identified as CVE-2025-13645, has been discovered in the Modula Image Gallery plugin for WordPress. This flaw allows authenticated attackers with Author-level access or higher to delete arbitrary files on the server. Successful exploitation of this vulnerability can lead to Remote Code Execution (RCE) if critical files, such as wp-config.php, are deleted.
This vulnerability affects versions 2.13.1 and 2.13.2 of the Modula Image Gallery plugin. It is crucial to update to a patched version immediately.
Technical Details
The vulnerability exists within the ajax_unzip_file function, where insufficient file path validation allows for the deletion of files outside of the intended directory. The plugin fails to properly sanitize the input provided to this function, allowing an attacker to manipulate the file path and target any accessible file on the server.
Specifically, the insufficient validation occurs when processing the file path argument in the ajax_unzip_file function, located within includes/admin/class-modula-gallery-upload.php. By crafting a malicious request with a manipulated file path, an attacker can bypass the intended security checks and delete arbitrary files.
References to the vulnerable code:
CVSS Analysis
The Common Vulnerability Scoring System (CVSS) score for CVE-2025-13645 is 7.2, indicating a HIGH severity. The CVSS vector string would likely include the following characteristics:
- AV:N (Attack Vector: Network)
- AC:L (Attack Complexity: Low)
- PR:H (Privileges Required: High – Author or above)
- UI:N (User Interaction: None)
- S:U (Scope: Unchanged)
- C:H (Confidentiality: High)
- I:H (Integrity: High)
- A:H (Availability: High)
This score reflects the ease of exploitation via the network, the requirement of high privileges (Author or above), and the potential for complete compromise of confidentiality, integrity, and availability.
Possible Impact
The exploitation of CVE-2025-13645 can have severe consequences:
- Arbitrary File Deletion: Attackers can delete any file on the server accessible to the webserver user.
- Remote Code Execution (RCE): Deleting critical files like
wp-config.phpcan lead to complete website compromise and enable remote code execution. - Data Loss: Deletion of database backups or other essential files can result in significant data loss.
- Website Defacement: Attackers can deface the website by deleting theme files or other content.
- Denial of Service (DoS): Deleting core WordPress files can render the website unusable, leading to a denial of service.
Mitigation and Patch Steps
The primary mitigation step is to immediately update the Modula Image Gallery plugin to the latest version. The vulnerability has been patched in versions released after 2.13.2.
If updating is not immediately possible, consider the following temporary workarounds (though these are not substitutes for patching):
- Disable the Modula Image Gallery plugin temporarily: This will prevent exploitation of the vulnerability.
- Implement a Web Application Firewall (WAF) rule: A WAF can be configured to detect and block malicious requests targeting the
ajax_unzip_filefunction. Consult your WAF documentation for specific instructions.
The fix involves proper sanitization and validation of the file path within the ajax_unzip_file function. Refer to the following commit for details on the implemented fix:
