CVE-2025-7641 is a path traversal vulnerability classified under CWE-22 found in the Assistant for NextGEN Gallery plugin for WordPress, affecting all versions up to and including 1.0.9. The vulnerability exists in the /wp-json/nextgenassistant/v1.0.0/control REST API endpoint, where insufficient validation of file paths allows an attacker to manipulate directory paths. This flaw enables unauthenticated remote attackers to delete arbitrary directories on the hosting server. The deletion capability arises because the plugin does not properly restrict or sanitize input paths, allowing traversal outside intended directories. The impact is a direct loss of availability, as critical files or directories can be removed, potentially rendering the website or server services inoperable. The vulnerability requires no privileges or user interaction, increasing its risk profile. Although no public exploits have been reported yet, the vulnerability’s characteristics make it a prime target for automated exploitation. The CVSS v3.1 score of 7.5 reflects the network attack vector, low attack complexity, no privileges required, no user interaction, and a high impact on availability but no impact on confidentiality or integrity. This vulnerability highlights the importance of rigorous input validation in REST API endpoints, especially in widely used WordPress plugins.

The primary impact of CVE-2025-7641 is a complete loss of availability of affected WordPress sites using the Assistant for NextGEN Gallery plugin. By deleting arbitrary directories, attackers can remove critical website files, plugin data, or even server-level directories, causing service outages and potential data loss. This can disrupt business operations, damage reputation, and incur recovery costs. Since exploitation requires no authentication or user interaction, the attack surface is broad and accessible to any remote attacker scanning for vulnerable sites. The vulnerability could be leveraged in large-scale automated attacks or targeted campaigns against high-value WordPress deployments. Organizations relying on this plugin for media gallery management face increased risk of denial-of-service conditions and operational downtime. Additionally, recovery may be complicated if backups are not current or comprehensive. The lack of known exploits in the wild currently reduces immediate risk but does not diminish the urgency of remediation.

1. Immediate upgrade or patching: Monitor the vendor for an official patch or update beyond version 1.0.9 that addresses this vulnerability and apply it promptly. 2. If no patch is available, disable or remove the Assistant for NextGEN Gallery plugin to eliminate the attack vector. 3. Implement web application firewall (WAF) rules to detect and block suspicious requests targeting the /wp-json/nextgenassistant/v1.0.0/control endpoint, especially those containing path traversal patterns (e.g., ../ sequences). 4. Restrict access to the REST API endpoint by IP whitelisting or authentication mechanisms where feasible. 5. Regularly back up website files and server data to enable rapid recovery from deletion attacks. 6. Conduct security audits and penetration testing focused on REST API endpoints to identify similar path traversal or input validation issues. 7. Monitor logs for unusual deletion activity or unauthorized access attempts to the vulnerable endpoint. 8. Educate site administrators on the risks of installing unverified plugins and the importance of timely updates.