CVE-2025-13645
📋 TL;DR
The Modula Image Gallery WordPress plugin versions 2.13.1 to 2.13.2 contain an arbitrary file deletion vulnerability due to insufficient file path validation. Authenticated attackers with Author-level permissions or higher can delete arbitrary files on the server, potentially leading to remote code execution by deleting critical files like wp-config.php. This affects WordPress sites using the vulnerable plugin versions.
💻 Affected Systems
- Modula Image Gallery WordPress plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete site compromise through remote code execution by deleting wp-config.php or other critical files, leading to data loss, defacement, or server takeover.
Likely Case
Site disruption or data loss through deletion of important files, potentially causing downtime or requiring restoration from backups.
If Mitigated
Limited impact if proper access controls and file permissions are in place, restricting damage to non-critical files.
🎯 Exploit Status
Exploitation requires Author-level WordPress credentials. The vulnerability is straightforward to exploit once authenticated.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.13.3 or later
Vendor Advisory: https://plugins.trac.wordpress.org/browser/modula-best-grid-gallery/tags/2.13.3
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find Modula Image Gallery. 4. Click 'Update Now' if available. 5. Alternatively, download version 2.13.3+ from WordPress.org and manually update.
🔧 Temporary Workarounds
Disable vulnerable plugin
allTemporarily deactivate the Modula Image Gallery plugin until patched.
wp plugin deactivate modula-best-grid-gallery
Restrict user roles
allTemporarily remove Author and higher roles from untrusted users.
🧯 If You Can't Patch
- Implement strict file permissions (e.g., chmod 644 for wp-config.php, restrict write access to web server user).
- Monitor and audit user accounts with Author+ roles for suspicious activity.
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel → Plugins → Modula Image Gallery → Version. If version is 2.13.1 or 2.13.2, system is vulnerable.Check Version:
wp plugin get modula-best-grid-gallery --field=versionVerify Fix Applied:
Verify plugin version is 2.13.3 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unusual file deletion events in web server logs (e.g., POST requests to /wp-admin/admin-ajax.php with action=modula_unzip_file).
- WordPress audit logs showing Author+ users accessing file management functions unexpectedly.
Network Indicators:
- POST requests to /wp-admin/admin-ajax.php with parameters targeting file deletion paths.
SIEM Query:
source="web_server_logs" AND uri="/wp-admin/admin-ajax.php" AND method="POST" AND (param="modula_unzip_file" OR param LIKE "%delete%")🔗 References
- https://github.com/WPChill/modula-lite/commit/90c8eb982f71b31584d9be9359e3b594e03927d7
- https://plugins.trac.wordpress.org/browser/modula-best-grid-gallery/tags/2.13.2/includes/admin/class-modula-gallery-upload.php#L1025
- https://plugins.trac.wordpress.org/browser/modula-best-grid-gallery/tags/2.13.2/includes/admin/class-modula-gallery-upload.php#L1119
- https://plugins.trac.wordpress.org/changeset/3395701/modula-best-grid-gallery#file5
- https://plugins.trac.wordpress.org/changeset/3407949/modula-best-grid-gallery
- https://www.wordfence.com/threat-intel/vulnerabilities/id/080683bb-713f-4aa8-b635-90c96f358bec?source=cve
