{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-13891", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-12-02T15:32:55.502Z", "datePublished": "2025-12-12T07:20:35.167Z", "dateUpdated": "2026-04-08T17:00:39.071Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:00:39.071Z"}, "affected": [{"vendor": "wpchill", "product": "Modula Image Gallery \u2013 Photo Grid & Video Gallery", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "2.13.3", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Image Gallery \u2013 Photo Grid & Video Gallery plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 2.13.3. This is due to the modula_list_folders AJAX endpoint that lacks proper path validation and base directory restrictions. While the endpoint verifies user capabilities (Author+ with upload_files and edit_posts permissions), it fails to validate that user-supplied directory paths reside within safe directories. This makes it possible for authenticated attackers, with Author-level access and above, to enumerate arbitrary directories on the server via the modula_list_folders endpoint."}], "title": "Image Gallery \u2013 Photo Grid & Video Gallery (Modula) <= 2.13.3 - Missing Authorization to Arbitrary Directory Listing", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/71e587ec-ceb6-48ca-9a1a-599d9d988b4d?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/modula-best-grid-gallery/tags/2.12.26/includes/admin/class-modula-gallery-upload.php#L230"}, {"url": "https://plugins.trac.wordpress.org/browser/modula-best-grid-gallery/tags/2.12.26/includes/admin/class-modula-gallery-upload.php#L160"}, {"url": "https://plugins.trac.wordpress.org/browser/modula-best-grid-gallery/tags/2.12.26/includes/admin/class-modula-gallery-upload.php#L411"}, {"url": "https://research.cleantalk.org/cve-2025-13891/"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3414176%40modula-best-grid-gallery%2Ftrunk&old=3407949%40modula-best-grid-gallery%2Ftrunk&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "cweId": "CWE-22", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Dmitrii Ignatyev"}], "timeline": [{"time": "2025-12-02T16:00:10.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-12-11T18:40:32.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-12-12T20:45:29.351475Z", "id": "CVE-2025-13891", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-12T20:45:39.695Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-13891", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-12-12T20:45:29.351475Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-12T20:45:35.244Z"}}], "cna": {"title": "Image Gallery \u2013 Photo Grid & Video Gallery (Modula) <= 2.13.3 - Missing Authorization to Arbitrary Directory Listing", "credits": [{"lang": "en", "type": "finder", "value": "Dmitrii Ignatyev"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"}}], "affected": [{"vendor": "wpchill", "product": "Image Gallery \u2013 Photo Grid & Video Gallery", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "2.13.3"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-12-02T16:00:10.000+00:00", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-12-11T18:40:32.000+00:00", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/71e587ec-ceb6-48ca-9a1a-599d9d988b4d?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/modula-best-grid-gallery/tags/2.12.26/includes/admin/class-modula-gallery-upload.php#L230"}, {"url": "https://plugins.trac.wordpress.org/browser/modula-best-grid-gallery/tags/2.12.26/includes/admin/class-modula-gallery-upload.php#L160"}, {"url": "https://plugins.trac.wordpress.org/browser/modula-best-grid-gallery/tags/2.12.26/includes/admin/class-modula-gallery-upload.php#L411"}, {"url": "https://research.cleantalk.org/cve-2025-13891/"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3414176%40modula-best-grid-gallery%2Ftrunk&old=3407949%40modula-best-grid-gallery%2Ftrunk&sfp_email=&sfph_mail="}], "descriptions": [{"lang": "en", "value": "The Image Gallery \u2013 Photo Grid & Video Gallery plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 2.13.3. This is due to the modula_list_folders AJAX endpoint that lacks proper path validation and base directory restrictions. While the endpoint verifies user capabilities (Author+ with upload_files and edit_posts permissions), it fails to validate that user-supplied directory paths reside within safe directories. This makes it possible for authenticated attackers, with Author-level access and above, to enumerate arbitrary directories on the server via the modula_list_folders endpoint."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2025-12-12T07:20:35.167Z"}}}, "cveMetadata": {"cveId": "CVE-2025-13891", "state": "PUBLISHED", "dateUpdated": "2025-12-12T20:45:39.695Z", "dateReserved": "2025-12-02T15:32:55.502Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-12-12T07:20:35.167Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Image Gallery \u2013 Photo Grid & Video Gallery plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 2.13.3. This is due to the modula_list_folders AJAX endpoint that lacks proper path validation and base directory restrictions. While the endpoint verifies user capabilities (Author+ with upload_files and edit_posts permissions), it fails to validate that user-supplied directory paths reside within safe directories. This makes it possible for authenticated attackers, with Author-level access and above, to enumerate arbitrary directories on the server via the modula_list_folders endpoint."}], "id": "CVE-2025-13891", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-12-12T08:15:47.487", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/modula-best-grid-gallery/tags/2.12.26/includes/admin/class-modula-gallery-upload.php#L160"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/modula-best-grid-gallery/tags/2.12.26/includes/admin/class-modula-gallery-upload.php#L230"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/modula-best-grid-gallery/tags/2.12.26/includes/admin/class-modula-gallery-upload.php#L411"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3414176%40modula-best-grid-gallery%2Ftrunk&old=3407949%40modula-best-grid-gallery%2Ftrunk&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "url": "https://research.cleantalk.org/cve-2025-13891/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/71e587ec-ceb6-48ca-9a1a-599d9d988b4d?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T00:14:01.003840+00:00", "value": {"mitigation_remediation": ["Update the Modula Image Gallery plugin to the latest release, which implements proper directory validation in the modula_list_folders endpoint.", "Revoke or reduce the upload_files capability from Author roles so that only administrators can access the modula_list_folders endpoint.", "Apply server\u2011side checks that ensure any directory path passed to the endpoint is confined to the plugin\u2019s base directory, rejecting requests that target other locations."], "summary": {"action": "Patch Now", "impact": "Information disclosure through directory traversal"}, "threat_synthesis": {"affected_systems": "WordPress sites that have the Modula Image Gallery \u2013 Photo Grid & Video Gallery plugin installed, versions up to and including 2.13.3. All installations that use the default configuration of the modula_list_folders endpoint and allow Author-level users with upload_files and edit_posts capabilities are impacted.", "description_and_impact": "The Modula Image Gallery \u2013 Photo Grid & Video Gallery plugin for WordPress contains a path traversal flaw in the modula_list_folders AJAX endpoint. The endpoint verifies only that the requester has Author+ permissions and the upload_files and edit_posts capabilities, but it does not confirm that the supplied directory path is contained within a safe base directory. An authenticated user with these permissions can therefore pass arbitrary paths and cause the plugin to list the contents of any directory on the server that the WordPress process can read.", "risk_and_exploitability": "The vulnerability has a CVSS score of 6.5, indicating a moderate severity. The EPSS score is below 1\u202f%, suggesting a low probability of exploitation in the near term. The issue is not listed in the CISA KEV catalog. Exploitation requires a valid WordPress account with Author or higher privileges, so the attack vector is authenticated, in\u2011application. If an attacker gains such a role, they can enumerate server directories via the public AJAX endpoint until the directory traversal is mitigated or the endpoint is protected."}}}}, "created": "2025-12-14T21:16:31.828689+00:00", "updated": "2026-04-22T00:15:03.777093+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress", "wpchill", "wpchill$PRODUCT$image_gallery"]}