CVE-2025-13891
Description
The Image Gallery – Photo Grid & Video Gallery plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 2.13.3. This is due to the modula_list_folders AJAX endpoint that lacks proper path validation and base directory restrictions. While the endpoint verifies user capabilities (Author+ with upload_files and edit_posts permissions), it fails to validate that user-supplied directory paths reside within safe directories. This makes it possible for authenticated attackers, with Author-level access and above, to enumerate arbitrary directories on the server via the modula_list_folders endpoint.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Authenticated path traversal in Modula WordPress plugin (≤2.13.3) allows Author+ users to enumerate arbitrary server directories via the modula_list_folders AJAX endpoint.
The Image Gallery – Photo Grid & Video Gallery (Modula) plugin for WordPress contains an authenticated path traversal vulnerability in its modula_list_folders AJAX endpoint, affecting all versions up to 2.13.3. The endpoint. The endpoint is intended for browsing folders during gallery creation, but it accepts user-supplied directory paths without enforcing proper path validation or base directory restrictions [1]. While the endpoint does verify that users have Author-level capabilities (upload_files and edit_posts), it does not restrict the directories that can be enumerated [1]. This design flaw allows an authenticated attacker to supply arbitrary absolute paths, bypassing any expected root directory white-listing.
Attack
Vector An attacker with Author-level access or higher can exploit this by sending specially crafted AJAX request to list the contents of any directory on the server's filesystem endpoint. The vulnerability is triggered through the file browser functionality exposed in the plugin's admin interface [1]. No additional privileges beyond authenticated Author access are required, and the attack does not depend on any other configuration weakness. A proof-of-concept has been publicly published, though no active exploitation has been confirmed [1].
The primary impact is information disclosure through directory enumeration endpoint. An attacker can use this to map the server's directory structure, potentially locating sensitive files such as configuration files, backups, or other WordPress installation details endpoint. Combined with other vulnerabilities, this could aid in further exploitation. The CVSS v3 score of 6.5 (Medium) reflects the need for authentication but highlights the lack of confidentiality impact due to unrestricted directory listing [1].
##Patch information was publicly disclosed by the researcher after coordinated disclosure with the plugin author [1]. Users are strongly advised to update to the latest patched version (available from WordPress plugin repository) endpoint. Workarounds include restricting plugin functionality via a web application firewall or disabling the file browser feature for non-administrator roles, but the vendor patch is the recommended mitigation [1].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: <=2.13.3
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- plugins.trac.wordpress.org/browser/modula-best-grid-gallery/tags/2.12.26/includes/admin/class-modula-gallery-upload.phpnvd
- plugins.trac.wordpress.org/browser/modula-best-grid-gallery/tags/2.12.26/includes/admin/class-modula-gallery-upload.phpnvd
- plugins.trac.wordpress.org/browser/modula-best-grid-gallery/tags/2.12.26/includes/admin/class-modula-gallery-upload.phpnvd
- plugins.trac.wordpress.org/changesetnvd
- research.cleantalk.org/cve-2025-13891/nvd
- www.wordfence.com/threat-intel/vulnerabilities/id/71e587ec-ceb6-48ca-9a1a-599d9d988b4dnvd
News mentions
0No linked articles in our index yet.