CVE-2025-7641 is a high-severity vulnerability classified as CWE-22 (Improper Limitation of a Pathname to a Restricted Directory, commonly known as Path Traversal) affecting the Assistant for NextGEN Gallery plugin for WordPress, developed by 48hmorris. This vulnerability exists in all versions up to and including 1.0.9 of the plugin. The flaw resides in the /wp-json/nextgenassistant/v1.0.0/control REST endpoint, which insufficiently validates file paths provided by users. As a result, unauthenticated attackers can exploit this endpoint to perform arbitrary directory deletions on the server hosting the WordPress instance. This means an attacker can craft malicious requests that traverse the file system and delete directories beyond the intended scope, potentially removing critical files or entire directories. The impact of such deletions can lead to a complete loss of availability of the affected website or service, as essential files or data may be removed. The vulnerability does not require any authentication or user interaction, making it remotely exploitable over the network with low attack complexity. The CVSS v3.1 base score is 7.5, reflecting high severity primarily due to the ability to cause denial of service through availability impact. No known exploits are currently reported in the wild, and no patches or updates have been linked yet, indicating that mitigation may rely on vendor updates or manual protective measures. Given the plugin’s integration with WordPress, a widely used content management system, the attack surface is significant, especially for websites using the NextGEN Gallery plugin alongside this assistant tool.

For European organizations, this vulnerability poses a substantial risk to the availability of websites and web services that rely on the Assistant for NextGEN Gallery plugin. Organizations in sectors such as media, e-commerce, education, and government that use WordPress with this plugin could face service outages, loss of critical content, and reputational damage if exploited. The ability of unauthenticated attackers to delete arbitrary directories means that even external threat actors with no prior access can disrupt operations. This could lead to downtime, loss of customer trust, and potential regulatory scrutiny under EU data protection and operational resilience frameworks. Additionally, organizations with limited incident response capabilities or those that do not regularly update plugins may be particularly vulnerable. The lack of authentication and user interaction requirements increases the risk of automated exploitation attempts, potentially leading to widespread impact if the vulnerability is weaponized. The absence of known exploits currently provides a window for proactive mitigation, but the high severity score underscores the urgency of addressing this issue to prevent availability disruptions.

European organizations should immediately audit their WordPress installations to identify the presence of the Assistant for NextGEN Gallery plugin, specifically versions up to 1.0.9. Until an official patch is released, organizations should consider the following specific mitigations: 1) Disable or remove the vulnerable plugin entirely if it is not critical to operations. 2) Restrict access to the /wp-json/nextgenassistant/v1.0.0/control REST endpoint using web application firewalls (WAFs) or reverse proxies by blocking or filtering suspicious requests, especially those attempting path traversal patterns (e.g., ../ sequences). 3) Implement strict file system permissions to limit the WordPress process’s ability to delete directories outside of designated safe areas, thereby containing potential damage. 4) Monitor web server and application logs for unusual DELETE or REST API calls targeting the vulnerable endpoint to detect exploitation attempts early. 5) Employ intrusion detection systems (IDS) with signatures for path traversal and directory deletion patterns. 6) Prepare incident response plans to quickly restore affected directories from backups if an attack occurs. 7) Stay updated with vendor advisories and apply patches promptly once available. These targeted measures go beyond generic advice by focusing on access control, monitoring, and containment specific to this vulnerability’s exploitation vector.