CVE-2025-13891 is a path traversal vulnerability classified under CWE-22 found in the 'Image Gallery – Photo Grid & Video Gallery' WordPress plugin developed by wpchill. The vulnerability resides in the modula_list_folders AJAX endpoint, which is designed to list directories for the plugin's gallery functionality. While the endpoint enforces user capability checks requiring at least Author-level permissions with upload_files and edit_posts rights, it lacks proper validation to ensure that user-supplied directory paths remain within intended base directories. This improper limitation allows authenticated attackers to manipulate the directory path parameter to traverse outside the allowed directory scope and enumerate arbitrary directories on the server. Such enumeration can expose sensitive files, configuration data, or other information that could facilitate further attacks. The vulnerability affects all plugin versions up to and including 2.13.3. The CVSS v3.1 base score is 6.5, indicating a medium severity with a vector of AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N, meaning network attack vector, low attack complexity, requires privileges, no user interaction, unchanged scope, high confidentiality impact, no integrity or availability impact. No public exploits are known at this time, but the vulnerability poses a risk of information disclosure to authenticated users with Author or higher roles. The lack of proper path validation is a common security oversight in web applications, especially in plugins handling file system operations. This vulnerability underscores the importance of strict input validation and directory access controls in web plugins.

For European organizations, this vulnerability can lead to unauthorized disclosure of sensitive server-side information, including configuration files, user data, or other protected resources stored on the web server. Since the vulnerability requires authenticated access with Author-level permissions, the risk is primarily from insider threats or compromised user accounts. However, many WordPress sites allow multiple users with Author or Editor roles, increasing the attack surface. Disclosure of sensitive information can facilitate further attacks such as privilege escalation, data theft, or targeted exploitation of other vulnerabilities. Organizations relying on this plugin for public-facing websites or intranet portals may face reputational damage, compliance issues under GDPR due to data exposure, and operational risks. The medium severity rating reflects the balance between required privileges and the high confidentiality impact. Given the widespread use of WordPress across Europe, especially in SMEs and public sector websites, the vulnerability has the potential to affect a significant number of sites if unpatched. Attackers could leverage this flaw to map server directories and identify valuable targets for subsequent attacks.

1. Immediately restrict plugin usage to trusted users with minimal necessary permissions; consider limiting Author-level access to only essential personnel. 2. Monitor web server and WordPress logs for unusual access patterns to the modula_list_folders AJAX endpoint, especially directory enumeration attempts. 3. Implement web application firewall (WAF) rules to detect and block suspicious path traversal payloads targeting the affected endpoint. 4. If possible, disable or remove the 'Image Gallery – Photo Grid & Video Gallery' plugin until a security patch is released. 5. Follow wpchill’s official channels for updates and apply patches promptly once available. 6. Conduct a permissions audit on WordPress user roles to ensure no excessive privileges are granted unnecessarily. 7. Employ file system access controls on the server to restrict the web server user’s ability to read sensitive directories outside the web root. 8. Educate site administrators about the risks of granting Author-level access and encourage strong authentication mechanisms such as MFA to reduce account compromise risk.