Arbitrary File Deletion in WP AUDIO GALLERY Plugin for WordPress
CVE-2025-13322

8.1HIGH

Key Information:

Vendor: WordPress
Status: WP Audio Gallery
Vendor: CVE Published:; 21 November 2025

What is CVE-2025-13322?

The WP AUDIO GALLERY plugin for WordPress contains a vulnerability that allows for arbitrary file deletion due to inadequate validation of file paths. Specifically, the wpag_uploadaudio_callback() AJAX handler fails to properly check the paths provided by users via the audio_upload parameter before these paths are passed to the unlink() function. This shortcoming enables authenticated attackers, who possess subscriber-level access or higher, to delete critical files on the server. Such deletions could lead to severe repercussions, including potential remote code execution if vital files like wp-config.php are compromised.

Affected Version(s)

WP AUDIO GALLERY * <= 2.0

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/wp-audio-galle...

CVSS V3.1

Score:

8.1

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 21, 2025
Vulnerability Reserved
Nov 17, 2025

Credit

Muhammad Yudha - DJ

JSON