The Modula Image Gallery plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'ajax_unzip_file' function in versions 2.13.1 to 2.13.2. This makes it possible for authenticated attackers, with Author-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
CVE-2025-13645: The Modula Image Gallery plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path va…
The Modula Image Gallery plugin for WordPress versions 2.13.1 to 2.13.2 has a vulnerability (CVE-2025-13645) allowing authenticated attackers to delete arbitrary files, potentially leading to remote code execution.