Path Traversal Vulnerability in Image Gallery Plugin for WordPress
CVE-2025-13891

6.5MEDIUM

Key Information:

Vendor: WordPress
Status: Image Gallery – Photo Grid & Video Gallery
Vendor: CVE Published:; 12 December 2025

What is CVE-2025-13891?

The Image Gallery – Photo Grid & Video Gallery plugin for WordPress exposes a path traversal vulnerability through its modula_list_folders AJAX endpoint. This issue arises from insufficient path validation and base directory restrictions, allowing authenticated users with Author permissions or higher to potentially access unauthorized directories on the server. The failure to confine user-supplied directory paths to designated safe directories poses a significant security risk, enabling attackers to enumerate arbitrary directories.

Affected Version(s)

Image Gallery – Photo Grid & Video Gallery * <= 2.13.3

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/modula-best-gr...

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 12, 2025
Vulnerability Reserved
Dec 2, 2025

Credit

Dmitrii Ignatyev

JSON