The vulnerability identified as CVE-2025-13891 affects the 'Image Gallery – Photo Grid & Video Gallery' WordPress plugin developed by wpchill. This plugin, widely used for managing photo and video galleries, contains a path traversal flaw in its modula_list_folders AJAX endpoint. The root cause is the lack of proper validation and restriction on user-supplied directory paths, allowing authenticated users with Author-level permissions or higher (who have upload_files and edit_posts capabilities) to enumerate arbitrary directories on the server. This means an attacker can craft requests to traverse outside the intended base directory and access directory listings that should be restricted. Although the endpoint checks user capabilities, it does not ensure that the requested paths are confined within safe directories, violating CWE-22 standards. The vulnerability does not require user interaction beyond authentication and does not allow direct modification or execution of files, but it exposes potentially sensitive information about the server's file structure. The CVSS 3.1 score of 6.5 reflects a medium severity, with high confidentiality impact but no impact on integrity or availability. No public exploits have been reported yet, but the vulnerability could be leveraged as a reconnaissance step for further attacks such as privilege escalation or targeted exploitation of exposed files. The issue affects all plugin versions up to and including 2.13.3, and no official patches have been linked yet. The vulnerability was published on December 12, 2025, and was reserved earlier on December 2, 2025.

For European organizations, this vulnerability poses a significant risk of information disclosure. Attackers with Author-level access can enumerate directories, potentially revealing sensitive files such as configuration files, backups, or other data that could facilitate further compromise. This is particularly concerning for organizations that host sensitive or regulated data on WordPress sites, including government agencies, financial institutions, and healthcare providers. The exposure of directory structures can aid attackers in crafting targeted attacks, including privilege escalation or lateral movement within the network. While the vulnerability does not directly allow code execution or denial of service, the confidentiality breach can have cascading effects on organizational security posture. Additionally, organizations with multiple content authors or contributors who have Author-level permissions increase the attack surface. The lack of known exploits in the wild reduces immediate risk but does not eliminate the threat, especially as attackers often weaponize such vulnerabilities once disclosed. Compliance with GDPR and other data protection regulations may be impacted if sensitive data is exposed, leading to potential legal and reputational consequences.

To mitigate this vulnerability, organizations should immediately audit their WordPress installations for the presence of the vulnerable 'Image Gallery – Photo Grid & Video Gallery' plugin and verify the version in use. Until an official patch is released, consider disabling or uninstalling the plugin to eliminate the attack vector. Limit the number of users with Author-level or higher permissions, enforcing the principle of least privilege. Implement web application firewall (WAF) rules to detect and block suspicious requests targeting the modula_list_folders AJAX endpoint, especially those containing directory traversal patterns such as '../'. Conduct thorough logging and monitoring of AJAX requests to identify potential exploitation attempts. Review and harden file system permissions on the server to restrict access to sensitive directories, ensuring that even if directory enumeration occurs, sensitive files remain inaccessible. Once a patch is available, apply it promptly and verify that proper path validation and base directory restrictions are enforced. Additionally, educate content authors and administrators about the risks of elevated permissions and encourage strong authentication practices to reduce the likelihood of compromised accounts.