CVE-2025-12494 is a vulnerability classified under CWE-285 (Improper Authorization) found in the 'Image Gallery – Photo Grid & Video Gallery' WordPress plugin developed by wpchill. The vulnerability exists in the ajax_import_file function, which fails to properly validate file paths before performing file operations. This flaw allows authenticated users with author-level permissions or higher to manipulate arbitrary image files on the server, specifically enabling deletion or movement of files. The root cause is insufficient authorization checks combined with inadequate validation of file paths, which can be exploited to alter or remove files beyond the intended scope. Since the vulnerability requires author-level access, attackers must first compromise or possess such credentials. The CVSS 3.1 base score of 4.3 reflects a network attack vector with low complexity, requiring privileges but no user interaction, and impacting integrity only. No patches or exploit code are currently publicly available, but the vulnerability poses a risk to the integrity of website content and potentially the stability of the hosting environment if critical files are affected. The plugin is widely used in WordPress environments, making this a relevant concern for many websites relying on this gallery functionality.

The primary impact of this vulnerability is on the integrity of website content and server files. An attacker with author-level access can delete or move arbitrary image files, potentially disrupting website appearance, user experience, or content availability. While confidentiality and availability are not directly impacted, the ability to manipulate files could be leveraged in chained attacks or cause reputational damage. For organizations, this could lead to defacement, loss of important media assets, or increased administrative overhead to restore content. Since exploitation requires authenticated access at author level or higher, the threat is limited to insiders or attackers who have already compromised user accounts with elevated privileges. However, given the popularity of WordPress and this plugin, many small to medium-sized websites could be affected, especially those with less stringent access controls or outdated plugin versions. The absence of known exploits in the wild reduces immediate risk but does not eliminate the potential for future attacks.

To mitigate this vulnerability, organizations should immediately update the 'Image Gallery – Photo Grid & Video Gallery' plugin to a version that addresses this issue once released by the vendor. Until a patch is available, restrict author-level access to trusted users only and audit existing user permissions to minimize risk. Implement web application firewalls (WAFs) with custom rules to detect and block suspicious ajax_import_file requests that attempt unauthorized file operations. Regularly monitor server logs for unusual file deletion or movement activities related to the plugin. Employ file integrity monitoring solutions to detect unauthorized changes to image files and other critical assets. Additionally, enforce the principle of least privilege for WordPress user roles and consider multi-factor authentication to reduce the risk of account compromise. Backup website data frequently to enable quick restoration in case of file tampering.