CVE-2025-13645 is a path traversal vulnerability classified under CWE-22 found in the wpchill Image Gallery – Photo Grid & Video Gallery WordPress plugin, specifically version 2.13.1. The vulnerability arises from insufficient validation of file paths in the 'ajax_unzip_file' function, which is responsible for handling file unzip operations. Authenticated users with Author-level access or higher can exploit this flaw to delete arbitrary files on the hosting server by manipulating the file path input to traverse directories outside the intended restricted folder. This arbitrary file deletion capability is particularly dangerous because it can be leveraged to remove critical WordPress files such as wp-config.php, which contains database credentials and other sensitive configuration data. Deleting such files can lead to denial of service or enable attackers to upload malicious files or execute arbitrary code remotely, effectively compromising the entire web server. The vulnerability has a CVSS v3.1 base score of 7.2, reflecting high impact on confidentiality, integrity, and availability, with low attack complexity and requiring only privileges of an authenticated Author user, without any user interaction. Although no active exploits have been reported in the wild, the ease of exploitation combined with the potential for full server compromise makes this a critical issue for affected WordPress sites. The vulnerability was published on December 3, 2025, and no official patches or updates have been linked yet, emphasizing the need for immediate attention from site administrators.

For European organizations, this vulnerability poses a significant risk to websites running WordPress with the vulnerable wpchill Image Gallery plugin. Exploitation can lead to unauthorized deletion of critical files, resulting in website downtime, data loss, and potential full server compromise through remote code execution. This can disrupt business operations, damage reputation, and lead to data breaches involving personal or sensitive information protected under GDPR. Organizations relying on WordPress for e-commerce, customer portals, or public-facing services are particularly vulnerable. The requirement for Author-level access means insider threats or compromised user accounts can be leveraged to exploit this vulnerability. Given the widespread use of WordPress across Europe, especially in small and medium enterprises and public sector websites, the impact could be broad and severe if not mitigated promptly.

1. Immediately audit WordPress sites to identify installations of the wpchill Image Gallery – Photo Grid & Video Gallery plugin, specifically version 2.13.1. 2. Restrict Author-level user privileges to only trusted personnel and review user accounts for suspicious activity. 3. Implement strict file system permissions on the server to prevent unauthorized file deletions by the web server user. 4. Use Web Application Firewalls (WAF) with custom rules to detect and block path traversal attempts targeting the 'ajax_unzip_file' function. 5. Monitor server logs for unusual file deletion patterns or unauthorized access attempts. 6. Until an official patch is released, consider disabling or removing the vulnerable plugin entirely. 7. Regularly back up WordPress files and databases to enable quick restoration in case of compromise. 8. Follow wpchill and WordPress security advisories closely for updates or patches addressing this vulnerability.