CVE-2025-13891
Path Traversal in Image Gallery Plugin Allows Directory Enumeration
Publication date: 2025-12-12
Last updated on: 2025-12-12
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wordpress | photo_grid | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a Path Traversal issue in the Image Gallery β Photo Grid & Video Gallery plugin for WordPress, affecting all versions up to 2.13.3. It occurs because the modula_list_folders AJAX endpoint does not properly validate user-supplied directory paths or restrict them to safe base directories. Although it checks user capabilities (Author+ with upload_files and edit_posts permissions), it allows authenticated users with Author-level access or higher to enumerate arbitrary directories on the server.
How can this vulnerability impact me? :
An attacker with Author-level access or higher can exploit this vulnerability to enumerate arbitrary directories on the server. This could lead to unauthorized disclosure of sensitive files or information stored on the server, potentially compromising the confidentiality of data.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
You can detect this vulnerability by checking if your WordPress installation is running the Image Gallery β Photo Grid & Video Gallery plugin version 2.13.3 or earlier. Since the vulnerability involves the modula_list_folders AJAX endpoint allowing directory enumeration by authenticated users with Author+ roles, you can monitor HTTP requests to this endpoint for suspicious directory traversal patterns. For example, use network monitoring tools or web server logs to look for requests to 'wp-admin/admin-ajax.php?action=modula_list_folders' with parameters containing '../' sequences or unusual folder paths. Additionally, you can run commands to check the installed plugin version, such as: `wp plugin list --format=json | jq '.[] | select(.name=="modula-best-grid-gallery")'` to verify the plugin version. If you have access to the server, you can also inspect the plugin files to confirm the version. However, no specific detection commands are provided in the resources. [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to update the Image Gallery β Photo Grid & Video Gallery plugin to version 2.13.4 or later, as this version includes security fixes that address the vulnerability by enforcing stricter permission checks and improved folder path validation. If updating immediately is not possible, restrict Author-level users from accessing the modula_list_folders AJAX endpoint or limit their permissions to prevent exploitation. Additionally, monitor and audit user activities related to gallery editing and file uploads to detect any suspicious behavior. [1]