CVE-2025-13645 is a path traversal vulnerability classified under CWE-22 found in the wpchill Image Gallery – Photo Grid & Video Gallery WordPress plugin, specifically in version 2.13.1. The vulnerability arises from insufficient validation of file paths in the ajax_unzip_file function, which is responsible for handling file extraction operations. Authenticated attackers with Author-level or higher permissions can exploit this flaw to delete arbitrary files on the web server by manipulating the file path parameters. This arbitrary file deletion can target critical files such as wp-config.php, which contains database credentials and other sensitive configuration data. Deleting such files can lead to denial of service or enable attackers to execute remote code by forcing the system into an inconsistent state or by removing security controls. The CVSS v3.1 score of 7.2 reflects the high impact on confidentiality, integrity, and availability, with low attack complexity and no user interaction required beyond authentication. The vulnerability affects installations running version 2.13.1 of the plugin, which is widely used in WordPress environments for managing image galleries. Although no exploits have been observed in the wild yet, the potential for severe damage makes this a critical issue to address promptly. The vulnerability is network exploitable and does not require additional user interaction, increasing its risk profile. The lack of an official patch at the time of reporting necessitates immediate mitigation efforts by administrators.

For European organizations, this vulnerability poses a significant risk to websites and web applications running WordPress with the affected plugin version. Successful exploitation can lead to unauthorized deletion of critical files, causing website downtime, data loss, and potential full server compromise through remote code execution. This can disrupt business operations, damage reputation, and lead to regulatory compliance issues under GDPR due to potential data exposure or loss of service. Organizations relying on WordPress for e-commerce, government services, or critical infrastructure are particularly vulnerable. The ease of exploitation by authenticated users means that insider threats or compromised accounts can escalate damage quickly. Additionally, the widespread use of WordPress across Europe increases the attack surface. The vulnerability could be leveraged in targeted attacks against high-value entities, including media companies, public sector websites, and SMEs that may lack robust security monitoring.

1. Immediately restrict access to the wpchill Image Gallery plugin functions to only trusted users and consider temporarily disabling the plugin if possible. 2. Enforce strict role-based access control to limit Author-level and higher privileges to only necessary personnel. 3. Monitor critical file integrity, especially wp-config.php and other configuration files, using file integrity monitoring tools to detect unauthorized deletions or modifications. 4. Implement web application firewalls (WAF) with custom rules to detect and block suspicious requests targeting the ajax_unzip_file function or unusual file path parameters. 5. Regularly back up website files and databases to enable rapid restoration in case of file deletion. 6. Stay alert for official patches or updates from the vendor and apply them promptly once released. 7. Conduct security audits and penetration testing focused on plugin vulnerabilities and privilege escalation paths. 8. Educate users with elevated privileges about the risks and signs of compromise to reduce insider threat risks. 9. Consider isolating WordPress instances in segmented network zones to limit lateral movement in case of compromise.