Login Sign Up

CVE-2025-13891

6.5 MEDIUM
Path Traversal

📋 TL;DR

This vulnerability allows authenticated WordPress users with Author-level permissions or higher to perform directory traversal attacks via the modula_list_folders AJAX endpoint. Attackers can enumerate arbitrary directories on the server, potentially exposing sensitive files. All WordPress sites using the Image Gallery – Photo Grid & Video Gallery plugin up to version 2.13.3 are affected.

💻 Affected Systems

Products:
  • Image Gallery – Photo Grid & Video Gallery WordPress plugin
Versions: All versions up to and including 2.13.3
Operating Systems: All operating systems running WordPress
Default Config Vulnerable: ⚠️ Yes
Notes: Requires authenticated user with Author role or higher (upload_files and edit_posts permissions)

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:
  1. Review the CVE details at NVD
  2. Check vendor security advisories for your specific version
  3. Test if the vulnerability is exploitable in your environment
  4. Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could enumerate sensitive server directories, discover configuration files, database credentials, or other sensitive data, leading to full system compromise.

🟠

Likely Case

Authenticated attackers enumerate directory structures to map the server environment and identify additional attack vectors or sensitive information.

🟢

If Mitigated

With proper file permissions and directory restrictions, impact is limited to directory enumeration within allowed paths.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires authenticated access but is straightforward once credentials are obtained

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.13.4 or later

Vendor Advisory: https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3414176%40modula-best-grid-gallery%2Ftrunk&old=3407949%40modula-best-grid-gallery%2Ftrunk&sfp_email=&sfph_mail=

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Image Gallery – Photo Grid & Video Gallery'. 4. Click 'Update Now' if update is available. 5. Alternatively, download version 2.13.4+ from WordPress repository and manually update.

🔧 Temporary Workarounds

Disable vulnerable endpoint via .htaccess

all

Block access to the modula_list_folders AJAX endpoint

# Add to .htaccess in WordPress root directory
<FilesMatch "modula_list_folders">
    Order Allow,Deny
    Deny from all
</FilesMatch>

Restrict user roles

all

Temporarily remove Author+ roles from untrusted users

🧯 If You Can't Patch

  • Disable the Image Gallery plugin entirely until patched
  • Implement strict file system permissions and directory restrictions at server level

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin → Plugins → Installed Plugins for 'Image Gallery – Photo Grid & Video Gallery' version 2.13.3 or lower

Check Version:

wp plugin list --name='Image Gallery – Photo Grid & Video Gallery' --field=version

Verify Fix Applied:

Verify plugin version is 2.13.4 or higher in WordPress admin panel

📡 Detection & Monitoring

Log Indicators:

  • Multiple POST requests to /wp-admin/admin-ajax.php with action=modula_list_folders
  • Unusual directory path parameters in AJAX requests

Network Indicators:

  • POST requests to admin-ajax.php with modula_list_folders action containing directory traversal sequences (../)

SIEM Query:

source="wordpress.log" AND "admin-ajax.php" AND "modula_list_folders" AND (".." OR "%2e%2e")

📊 Metadata

CVE ID: CVE-2025-13891
CVSS v3 Score: 6.5 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CWE: CWE-22
EPSS Score: 0.06% exploit probability (17.3th percentile)
Published: December 12, 2025
Last Updated: December 12, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-13891, you might also want to check these:

CVE-2024-43955 10.0

CVE-2024-43955 is an unauthenticated path traversal vulnerability in the Droip WordPress plugin that...

Same vulnerability type (CWE-22)
CVE-2025-54261 10.0

This critical path traversal vulnerability in Adobe ColdFusion allows attackers to escape restricted...

Same vulnerability type (CWE-22)
CVE-2024-40628 10.0

This critical vulnerability in JumpServer allows attackers to read arbitrary files from the Celery c...

Same vulnerability type (CWE-22)