Path Traversal Vulnerability in Image Gallery Plugin for WordPress
CVE-2025-13891

6.5MEDIUM

Key Information:

Vendor

WordPress
Status
Image Gallery – Photo Grid & Video Gallery
Vendor
CVE Published:
12 December 2025

What is CVE-2025-13891?

The Image Gallery – Photo Grid & Video Gallery plugin for WordPress exposes a path traversal vulnerability through its modula_list_folders AJAX endpoint. This issue arises from insufficient path validation and base directory restrictions, allowing authenticated users with Author permissions or higher to potentially access unauthorized directories on the server. The failure to confine user-supplied directory paths to designated safe directories poses a significant security risk, enabling attackers to enumerate arbitrary directories.

Affected Version(s)

Image Gallery – Photo Grid & Video Gallery * <= 2.13.3

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...
https://plugins.trac.wordpress.org/browser/modula-best-gr...
https://plugins.trac.wordpress.org/browser/modula-best-gr...

CVSS V3.1

Score:
6.5
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Dmitrii Ignatyev
JSON
.