CVE-2025-7641
Unknown
Unknown - Not Provided
BaseFortify
Publication date: 2025-08-15
Last updated on: 2025-08-15
Assigner: Wordfence
Description
Description
The Assistant for NextGEN Gallery plugin for WordPress is vulnerable to arbitrary directory deletion due to insufficient file path validation in the /wp-json/nextgenassistant/v1.0.0/control REST endpoint in all versions up to, and including, 1.0.9. This makes it possible for unauthenticated attackers to delete arbitrary directories on the server, which can cause a complete loss of availability.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wordpress | assistant_for_nextgen_gallery | 1.0.9 |
Helpful Resources
Exploitability
CWE
KEV
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability exists in the Assistant for NextGEN Gallery WordPress plugin, where insufficient validation of file paths in a specific REST endpoint allows unauthenticated attackers to delete arbitrary directories on the server.
How can this vulnerability impact me? :
This vulnerability can lead to a complete loss of availability of the affected server or website by allowing attackers to delete important directories.
Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70