CVE-2025-13645 is a path traversal vulnerability categorized under CWE-22 affecting the wpchill Image Gallery – Photo Grid & Video Gallery WordPress plugin, specifically version 2.13.1. The vulnerability arises from insufficient validation of file paths in the 'ajax_unzip_file' function, which is responsible for handling file extraction operations. Authenticated attackers with Author-level or higher privileges can exploit this flaw to delete arbitrary files on the web server by manipulating the file path input to traverse directories outside the intended restricted folder. This arbitrary file deletion can be leveraged to remove critical files such as wp-config.php, which contains database credentials and configuration settings. Deleting such files can destabilize the WordPress installation and potentially allow attackers to execute remote code or gain further control over the server. The vulnerability does not require user interaction beyond authentication and can be exploited remotely over the network. The CVSS v3.1 score of 7.2 reflects the vulnerability's high impact on confidentiality, integrity, and availability, with low attack complexity and requiring high privileges but no user interaction. No patches or fixes are currently linked, and no known exploits are reported in the wild as of the publication date. The vulnerability affects a widely used WordPress plugin, increasing the risk for many websites globally.

The impact of CVE-2025-13645 is significant for organizations using the vulnerable wpchill Image Gallery plugin. Successful exploitation allows an attacker with Author-level access to delete arbitrary files on the server, potentially leading to complete server compromise. Deletion of critical files like wp-config.php can disrupt website functionality, cause data loss, and enable remote code execution, which could allow attackers to deploy malware, steal sensitive data, or pivot to other internal systems. The vulnerability compromises confidentiality, integrity, and availability of affected systems. Since WordPress powers a large portion of the web, many organizations, including businesses, government agencies, and e-commerce platforms, could be at risk if they use this plugin without mitigation. The requirement for authenticated access limits exploitation to insiders or compromised accounts, but the ease of exploitation and severe consequences make this a critical threat. The absence of known exploits in the wild currently provides a window for remediation before widespread attacks occur.

1. Immediate mitigation should include restricting Author-level and higher privileges to trusted users only, minimizing the risk of exploitation by insiders or compromised accounts. 2. Monitor and audit user activities, especially file operations and plugin usage, to detect suspicious behavior indicative of exploitation attempts. 3. If possible, disable or uninstall the vulnerable wpchill Image Gallery plugin until a patch or update is released. 4. Implement web application firewall (WAF) rules to detect and block path traversal attempts targeting the 'ajax_unzip_file' function or related plugin endpoints. 5. Regularly back up critical WordPress files and databases to enable rapid recovery if arbitrary file deletion occurs. 6. Follow vendor announcements closely and apply official patches or updates as soon as they become available. 7. Consider deploying file integrity monitoring solutions to alert on unauthorized file deletions or modifications. 8. Harden WordPress installations by limiting file system permissions to prevent unauthorized file deletions beyond the plugin scope. These targeted actions go beyond generic advice and focus on reducing the attack surface and improving detection and recovery capabilities.