CVE-2025-13322 is a vulnerability classified under CWE-73 (External Control of File Name or Path) affecting the WP AUDIO GALLERY plugin for WordPress, maintained by husainali52. The vulnerability exists in the AJAX handler function wpag_uploadaudio_callback(), which processes the audio_upload parameter without proper validation or sanitization. This parameter is directly passed to the PHP unlink() function, which deletes files on the server. Because the plugin fails to restrict or sanitize the file path input, an authenticated attacker with subscriber-level privileges or higher can craft malicious requests to delete arbitrary files on the server filesystem. Critical files such as wp-config.php, which contains database credentials and configuration, can be targeted. Deletion of such files can disrupt site availability and potentially enable remote code execution if attackers leverage the resulting state to upload malicious code or manipulate site behavior. The vulnerability affects all versions of the plugin up to and including 2.0. The CVSS v3.1 score is 8.1 (high), reflecting network attack vector, low attack complexity, requiring privileges but no user interaction, and resulting in high impact on integrity and availability. No patches or fixes are currently linked, and no known exploits have been reported in the wild, but the vulnerability’s nature makes it a critical risk for WordPress sites using this plugin.

For European organizations, this vulnerability poses a significant risk to the integrity and availability of WordPress-based web assets. Organizations relying on the WP AUDIO GALLERY plugin could face unauthorized deletion of critical files, leading to website downtime, data loss, and potential compromise of sensitive configuration data. This could disrupt business operations, damage reputation, and expose organizations to further attacks such as remote code execution or privilege escalation. Given the widespread use of WordPress across Europe for corporate websites, e-commerce, and content management, the impact could be broad. Attackers exploiting this vulnerability could target government, financial, healthcare, and media sectors where WordPress is prevalent, causing service interruptions or data breaches. The requirement for only subscriber-level authentication lowers the barrier for exploitation, increasing risk especially in environments with weak user access controls or compromised credentials.

European organizations should immediately audit their WordPress installations to identify the presence of the WP AUDIO GALLERY plugin and verify the version in use. Since no official patch is currently linked, organizations should consider the following mitigations: 1) Temporarily disable or uninstall the WP AUDIO GALLERY plugin until a secure update is released. 2) Restrict user roles and permissions to minimize subscriber-level access, especially on publicly accessible sites. 3) Implement web application firewall (WAF) rules to detect and block suspicious AJAX requests targeting the audio_upload parameter with path traversal or file deletion patterns. 4) Harden file system permissions to prevent the web server user from deleting critical files such as wp-config.php. 5) Monitor server logs for unusual unlink() calls or file deletion activities. 6) Regularly back up WordPress files and databases to enable rapid recovery in case of file deletion. 7) Educate site administrators on the risks of installing unvetted plugins and maintaining least privilege principles. Organizations should track vendor updates and apply official patches promptly once available.