Unrated severityNVD Advisory· Published Dec 3, 2025· Updated Dec 3, 2025
Modula 2.13.1 - 2.13.2 - Authenticated (Author+) Arbitrary File Upload via Race Condition
CVE-2025-13646
Description
The Modula Image Gallery plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'ajax_unzip_file' function in versions 2.13.1 to 2.13.2. This makes it possible for authenticated attackers, with Author-level access and above, to upload arbitrary files with race condition on the affected site's server which may make remote code execution possible.
Affected products
1- wpchill/Image Gallery – Photo Grid & Video Galleryv5Range: 2.13.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/WPChill/modula-lite/blob/master/includes/admin/class-modula-gallery-upload.phpmitre
- github.com/WPChill/modula-lite/commit/90c8eb982f71b31584d9be9359e3b594e03927d7mitre
- plugins.trac.wordpress.org/changeset/3395701/modula-best-grid-gallerymitre
- plugins.trac.wordpress.org/changeset/3407949/modula-best-grid-gallerymitre
- www.wordfence.com/threat-intel/vulnerabilities/id/59ee0ca2-846d-4ae8-ad19-7c3826861aebmitre
News mentions
0No linked articles in our index yet.