CVE-2025-13891 is a path traversal vulnerability identified in the 'Image Gallery – Photo Grid & Video Gallery' WordPress plugin developed by wpchill, affecting all versions up to and including 2.13.3. The vulnerability arises from insufficient validation in the modula_list_folders AJAX endpoint, which is responsible for listing directories. While the endpoint enforces user capability checks, requiring at least Author-level permissions with upload_files and edit_posts capabilities, it fails to ensure that the directory paths provided by users remain within a restricted base directory. This improper limitation of pathname (CWE-22) allows authenticated attackers to traverse outside the intended directory scope and enumerate arbitrary directories on the server. The flaw does not permit direct file modification or deletion but can expose sensitive files and directory structures, potentially aiding further attacks such as information gathering for privilege escalation or lateral movement. The vulnerability has a CVSS v3.1 base score of 6.5, indicating medium severity, with a vector of AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N, meaning it is remotely exploitable over the network with low attack complexity, requires privileges (Author+), no user interaction, and impacts confidentiality significantly without affecting integrity or availability. No patches or fixes are currently linked, and no known exploits have been reported in the wild as of publication. The vulnerability is particularly relevant to WordPress sites using this plugin, which is popular for photo and video gallery management.

The primary impact of CVE-2025-13891 is unauthorized disclosure of sensitive information due to directory enumeration on affected WordPress servers. Attackers with Author-level access can map out directory structures and access files outside the intended plugin directories, potentially exposing configuration files, credentials, or other sensitive data stored on the server. This information leakage can facilitate further attacks such as privilege escalation, data exfiltration, or targeted exploitation of other vulnerabilities. While the vulnerability does not allow direct modification or denial of service, the confidentiality breach alone can be critical, especially for organizations hosting sensitive or proprietary content. The requirement for authenticated access limits the attack surface but does not eliminate risk, as Author-level accounts are common in collaborative WordPress environments. Organizations with multiple contributors or less stringent access controls are at higher risk. The absence of known exploits reduces immediate threat but does not preclude future exploitation, especially as proof-of-concept code may emerge. Overall, the vulnerability can undermine trust, lead to data breaches, and increase the attack surface for targeted campaigns.

To mitigate CVE-2025-13891, organizations should first apply any available patches or updates from the wpchill plugin vendor once released. In the absence of an official patch, administrators should restrict Author-level user permissions strictly and audit existing user roles to ensure only trusted users have upload_files and edit_posts capabilities. Implementing web application firewall (WAF) rules to monitor and block suspicious AJAX requests to the modula_list_folders endpoint can help detect and prevent exploitation attempts. Additionally, server-side hardening measures such as disabling directory listing, restricting PHP execution in upload directories, and enforcing strict file system permissions can reduce exposure. Monitoring logs for unusual directory access patterns or repeated requests to the vulnerable endpoint is recommended. For high-security environments, consider temporarily disabling or replacing the plugin with alternatives until a fix is available. Regular security assessments and penetration testing should include checks for path traversal vulnerabilities in plugins and custom code.