CVE-2025-13322

Name of the Vulnerable Software and Affected Versions WP AUDIO GALLERY plugin for WordPress versions prior to 2.1

Description The WP AUDIO GALLERY plugin for WordPress is susceptible to arbitrary file deletion. This is caused by inadequate file path validation within the wpag uploadaudio callback() AJAX handler, specifically concerning the audio upload parameter before it is passed to the unlink() function. This allows authenticated attackers with subscriber-level access or higher to delete arbitrary files on the server. Deletion of critical files, such as wp-config.php, can lead to remote code execution.

Recommendations Update the WP AUDIO GALLERY plugin to version 2.1 or later.