Image Gallery – Photo Grid & Video Gallery (Modula) < 2.13.4 – Missing Authorization to Arbitrary Directory Listing | CVE 2025-13891 | Plugin Vulnerabilities

Description

The Image Gallery – Photo Grid & Video Gallery plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 2.13.3. This is due to the modula_list_folders AJAX endpoint that lacks proper path validation and base directory restrictions. While the endpoint verifies user capabilities (Author+ with upload_files and edit_posts permissions), it fails to validate that user-supplied directory paths reside within safe directories. This makes it possible for authenticated attackers, with Author-level access and above, to enumerate arbitrary directories on the server via the modula_list_folders endpoint.

Affects Plugins

modula-best-grid-gallery

Fixed in 2.13.4

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/71e587ec-ceb6-48ca-9a1a-599d9d988b4d

Classification

Type

LFI

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

Dmitrii Ignatyev

Verified

No

WPVDB ID

77042404-d22c-4a7a-bd48-f7864f58ba70

Timeline

Publicly Published

2025-12-11 (about 5 months ago)

Added

2025-12-11 (about 5 months ago)

Last Updated

2025-12-12 (about 5 months ago)

Other

Published

Title

Published

2026-03-10

Title

PitchPrint < 11.2.0 - Unauthenticated Arbitrary File Deletion

Published

2024-08-19

Title

Contact Form by Bit Form: Multi Step Form, Calculation Contact Form, Payment Contact Form & Custom Contact Form builder 2.0 - 2.13.4 - Authenticater (Administrator+) Arbitrary File Deletion

Published

2026-02-03

Title

Code Explorer <= 1.4.6 - Authenticated (Administrator+) Arbitrary File Read via 'file' Parameter

Published

2015-04-10

Title

Fusion Engage 1.0.5 - Local File Disclosure

Published

2024-07-11

Title

HT Mega < 2.5.8 - Authenticated (Contributor+) JSON File Directory Traversal