CVE-2025-13322 is a vulnerability classified under CWE-73 (External Control of File Name or Path) found in the WP AUDIO GALLERY plugin for WordPress, maintained by husainali52. The flaw exists in the wpag_uploadaudio_callback() AJAX handler, which processes the audio_upload parameter without proper validation or sanitization of the file path. This parameter is directly passed to the PHP unlink() function, which deletes files on the server. Because the plugin does not restrict or sanitize the input, authenticated users with subscriber-level privileges or higher can specify arbitrary file paths, leading to arbitrary file deletion on the server. Critical files such as wp-config.php, which contains database credentials and configuration, can be deleted, potentially causing denial of service or enabling attackers to execute remote code by manipulating the environment or triggering fallback behaviors. The vulnerability affects all versions up to and including 2.0 of the plugin. The CVSS 3.1 base score is 8.1, reflecting high severity due to network attack vector, low attack complexity, privileges required, no user interaction, and high impact on integrity and availability. Although no public exploits have been reported yet, the vulnerability's characteristics make it a prime target for attackers aiming to compromise WordPress sites. The lack of patch links suggests that no official fix has been released at the time of publication, increasing urgency for mitigation.

The impact of CVE-2025-13322 is significant for organizations running WordPress sites with the WP AUDIO GALLERY plugin installed. Successful exploitation allows attackers with minimal privileges (subscriber-level) to delete arbitrary files, including critical configuration files like wp-config.php. This can lead to site downtime, loss of data integrity, and potentially remote code execution if attackers manipulate the environment post-deletion. The compromise can extend to full site takeover, data breaches, and disruption of business operations. Given WordPress's widespread use globally, this vulnerability poses a risk to a large number of websites, especially those that do not regularly update plugins or enforce strict access controls. The ease of exploitation and the high impact on availability and integrity make this a critical threat for content management systems relying on this plugin.

To mitigate CVE-2025-13322, organizations should immediately audit their WordPress installations for the presence of the WP AUDIO GALLERY plugin and verify the version in use. Since no official patch is currently available, the following specific actions are recommended: 1) Temporarily disable or uninstall the WP AUDIO GALLERY plugin to eliminate the attack surface. 2) Restrict access to the wpag_uploadaudio_callback() AJAX handler by implementing additional server-side access controls or web application firewall (WAF) rules that block unauthorized or suspicious requests targeting this endpoint. 3) Enforce the principle of least privilege by reviewing user roles and minimizing subscriber-level access where possible. 4) Monitor server logs for unusual unlink() calls or file deletion activities, especially targeting critical files. 5) Implement file integrity monitoring to detect unauthorized changes or deletions promptly. 6) Once a patch is released by the vendor, apply it immediately and verify the fix. 7) Educate site administrators about the risks of installing unvetted plugins and the importance of timely updates.