Overview
CVE-2025-12494 identifies a medium severity vulnerability in the “Image Gallery – Photo Grid & Video Gallery” plugin for WordPress. This flaw allows authenticated attackers with author-level access or higher to delete arbitrary files on the server due to insufficient file path validation in the ajax_import_file function. Versions up to and including 2.12.28 are affected.
Technical Details
The vulnerability resides within the ajax_import_file function of the plugin. The lack of proper validation on the file path provided by the attacker allows them to manipulate the function to target and delete files outside of the intended image gallery directories. Specifically, the vulnerability stems from lines 554, 567, 589, and 597 in the class-modula-gallery-upload.php file.
A code commit addressing the issue can be found here: Fix Commit.
CVSS Analysis
- CVSS Score: 4.3 (Medium)
- CVSS Vector: AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
- Explanation: This vulnerability allows an authenticated attacker (with low privileges like author) to modify data (delete files) without user interaction over the network. The impact is limited, as the attacker can only modify data but not directly compromise confidentiality or availability beyond file deletion.
Possible Impact
Successful exploitation of this vulnerability could lead to:
- Data Loss: Important image or other media files within the WordPress installation could be deleted.
- Website Functionality Issues: Deletion of critical files could disrupt website functionality, potentially causing broken images, gallery errors, or even website instability.
- Limited Security Impact: While the CVSS score is medium, targeted deletion of sensitive files could have more significant security implications depending on the server configuration.
Mitigation or Patch Steps
The primary mitigation step is to update the “Image Gallery – Photo Grid & Video Gallery” plugin to the latest version. The vulnerability has been patched in versions released after 2.12.28. Ensure your WordPress installation is configured to automatically update plugins to receive security patches promptly.
If immediate updating is not possible, consider temporarily disabling the plugin until an update can be applied. However, this will remove the gallery functionality from your website.
