WordPress Plugin Vulnerabilities

Modula 2.13.1 - 2.13.2 - Author+ Arbitrary File Upload via Race Condition

Description

The plugin is vulnerable to arbitrary file uploads due to missing file type validation in the 'ajax_unzip_file' function. This makes it possible for authenticated attackers, with Author-level access and above, to upload arbitrary files with race condition on the affected site's server which may make remote code execution possible.

Affects Plugins

Plugin icon
modula-best-grid-gallery
Fixed in 2.13.3

References

CVE
CVE-2025-13646
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/59ee0ca2-846d-4ae8-ad19-7c3826861aeb

Miscellaneous

Original Researcher
0xQRx
Verified
No
WPVDB ID
a313be3e-2695-41d9-b59e-ace503c1fcc4

Timeline

Publicly Published
2025-12-02 (about 6 months ago)
Added
2025-12-08 (about 6 months ago)
Last Updated
2025-12-08 (about 6 months ago)

Other

Published
Title
Published
2014-08-01
Title
WordPress SB Uploader 3.9 - Arbitrary File Upload
Published
2025-06-23
Title
Aiomatic - AI Content Writer, Editor, ChatBot & AI Toolkit < 2.5.1 - Authenticated (Subscriber+) Arbitrary File Upload
Published
2024-06-26
Title
Auto Featured Image <= 1.2 - Authenticated (Contributor+) Arbitrary File Upload
Published
2025-10-31
Title
RESTful Content Syndication 1.1.0 - 1.5.0 - Authenticated (Contributor+) Arbitrary File Upload
Published
2021-09-01
Title
Secure File Manager <= 2.9.3 - Admin+ RCE