CVE-2025-13645

Name of the Vulnerable Software and Affected Versions Modula Image Gallery plugin for WordPress versions 2.13.1 through 2.13.2

Description The Modula Image Gallery plugin for WordPress is susceptible to arbitrary file deletion due to inadequate file path validation within the ajax unzip file function. Authenticated attackers possessing Author-level access or higher can exploit this to delete arbitrary files on the server. Deletion of specific files, such as wp-config.php, could potentially lead to remote code execution.

Recommendations Update the Modula Image Gallery plugin to a newer, fixed version. As a temporary workaround, restrict access for users with Author-level permissions or higher. Consider disabling the ajax unzip file function until a patch is available.