CVE-2025-12494 is an improper authorization vulnerability categorized under CWE-285 found in the WordPress plugin 'Image Gallery – Photo Grid & Video Gallery' developed by wpchill. The flaw exists in the ajax_import_file function, which fails to properly validate file paths before performing file operations. This allows authenticated users with author-level access or higher to delete arbitrary image files on the server by manipulating the file path parameters. The vulnerability affects all plugin versions up to and including 2.12.28. The attack vector is remote over the network (AV:N), requires low attack complexity (AC:L), and privileges at the author level (PR:L), with no user interaction needed (UI:N). The impact is limited to integrity (I:L) without affecting confidentiality or availability. Although no public exploits have been reported yet, the vulnerability poses a risk to WordPress sites using this plugin, especially those with multiple contributors who have author-level permissions. The lack of patch links indicates that a fix may not yet be publicly available, emphasizing the need for immediate mitigation steps. The vulnerability could be leveraged to remove or manipulate image files, potentially disrupting website content and damaging organizational reputation.

For European organizations, this vulnerability could lead to unauthorized deletion of image files hosted on WordPress sites using the affected plugin. This compromises the integrity of website content, potentially causing disruption to marketing, e-commerce, or informational portals. While it does not directly expose sensitive data or cause denial of service, the ability to delete arbitrary files could be exploited to remove critical media assets, degrade user experience, or facilitate further attacks by removing security-related files. Organizations with collaborative content management environments are particularly at risk due to the requirement of author-level access. The reputational damage and operational disruption could be significant for businesses relying heavily on their web presence. Additionally, the absence of a patch increases exposure time, necessitating proactive defense measures.

European organizations should immediately audit user roles and permissions within WordPress, ensuring that author-level access is granted only to trusted users. Implement strict access controls and monitor file system changes for unauthorized deletions or modifications. Disable or uninstall the vulnerable plugin if possible until a patch is released. Employ web application firewalls (WAFs) with custom rules to detect and block suspicious ajax_import_file requests. Regularly back up website content, including media files, to enable rapid recovery in case of file deletion. Stay informed about updates from the plugin vendor and apply patches promptly once available. Consider isolating WordPress instances or running them in containerized environments to limit the impact of potential exploitation. Finally, conduct security awareness training for content contributors to recognize and report unusual behavior.