CVE-2025-12494 - Vulnerability Details

- Image Gallery – Photo Grid & Video Gallery <= 2.12.28 - Improper Authorization to Authenticated (Author+) Arbitrary Image File Move

Description

The Image Gallery – Photo Grid & Video Gallery plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the ajax_import_file function in all versions up to, and including, 2.12.28. This makes it possible for authenticated attackers, with author-level access and above, to move arbitrary image files on the server.

Published: 2025-11-15

Score: 4.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The Modula Image Gallery – Photo Grid & Video Gallery plugin allows authenticated WordPress users with author-level privileges or higher to execute an AJAX import that accepts a file path without proper validation, enabling the movement of arbitrary image files on the server. This flaw falls under CWE‑285 and can result in the deletion, relocation, or replacement of critical image assets, thereby affecting the integrity and availability of the site’s media content and potentially compromising backups or stored media.

Affected Systems

All WordPress installations that use the Modula Image Gallery plugin by wpchill and have a plugin version of 2.12.28 or earlier, including every site configured with author or higher roles for the upload functionality.

Risk and Exploitability

The CVSS score of 4.3 indicates a moderate risk, and the EPSS score of less than 1% points to a low likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog. An attacker would need to authenticate with an account that has at least author privileges and trigger an AJAX request to the vulnerable import endpoint. Once executed, the attacker could move or delete target files on the server, leading to content loss or potential privilege escalation if the files are system-critical. The attack vector is inferred from the AJAX import function and the requirement for authenticated use; no remote code execution is implied.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

wpchill

Modula Image Gallery – Photo Grid & Video Gallery

unaffected

Version	Status	Constraints
`0`	affected	≤ 2.12.28

No data.

Vendor	Product	Confidence	Versions
Wordpress	Wordpress	—	—
Wpchill	Image Photo Gallery Final Tiles Grid	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the Modula Image Gallery plugin to the latest release (minimum 2.12.29) to apply the path‑validation fix.
Restrict the author and higher privileges for users that need to interact with the media import feature, or remove the capability that allows access to the AJAX endpoint entirely.
If an immediate upgrade is not possible, temporarily block or disable the AJAX import endpoint (e.g., via .htaccess rules or a security plugin) until a patch is available.
Implement file‑system integrity monitoring to detect unauthorized file moves or deletions and review server permissions to limit write access to the media directories.

Generated by OpenCVE AI on April 21, 2026 at 01:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00054.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://plugins.trac.wordpress.org/browser/modula-best-grid-gallery/tags/2.12.26/includes/admin/class-modula-gallery-upload.php#L554
https://plugins.trac.wordpress.org/browser/modula-best-grid-gallery/tags/2.12.26/includes/admin/class-modula-gallery-upload.php#L567
https://plugins.trac.wordpress.org/browser/modula-best-grid-gallery/tags/2.12.26/includes/admin/class-modula-gallery-upload.php#L589
https://plugins.trac.wordpress.org/browser/modula-best-grid-gallery/tags/2.12.26/includes/admin/class-modula-gallery-upload.php#L597
https://plugins.trac.wordpress.org/changeset/3391790/modula-best-grid-gallery/trunk?contextall=1&old=3390878&old_path=%2Fmodula-best-grid-gallery%2Ftrunk
https://research.cleantalk.org/cve-2025-12494/
https://www.wordfence.com/threat-intel/vulnerabilities/id/ca423309-d8bd-46a4-9e88-9534d9c60b4a?source=cve

History

Mon, 17 Nov 2025 19:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Sat, 15 Nov 2025 22:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Wordpress Wordpress wordpress Wpchill Wpchill image Photo Gallery Final Tiles Grid
Vendors & Products		Wordpress Wordpress wordpress Wpchill Wpchill image Photo Gallery Final Tiles Grid

Sat, 15 Nov 2025 06:00:00 +0000

Type	Values Removed	Values Added
Description		The Image Gallery – Photo Grid & Video Gallery plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the ajax_import_file function in all versions up to, and including, 2.12.28. This makes it possible for authenticated attackers, with author-level access and above, to move arbitrary image files on the server.
Title		Image Gallery – Photo Grid & Video Gallery <= 2.12.28 - Improper Authorization to Authenticated (Author+) Arbitrary Image File Move
Weaknesses		CWE-285
References		https://plugins.trac.wordpress.org/browser/modula-best-grid-gallery/tags/2.12.26/includes/admin/class-modula-gallery-upload.php#L554 https://plugins.trac.wordpress.org/browser/modula-best-grid-gallery/tags/2.12.26/includes/admin/class-modula-gallery-upload.php#L567 https://plugins.trac.wordpress.org/browser/modula-best-grid-gallery/tags/2.12.26/includes/admin/class-modula-gallery-upload.php#L589 https://plugins.trac.wordpress.org/browser/modula-best-grid-gallery/tags/2.12.26/includes/admin/class-modula-gallery-upload.php#L597 https://plugins.trac.wordpress.org/changeset/3391790/modula-best-grid-gallery/trunk?contextall=1&old=3390878&old_path=%2Fmodula-best-grid-gallery%2Ftrunk https://research.cleantalk.org/cve-2025-12494/ https://www.wordfence.com/threat-intel/vulnerabilities/id/ca423309-d8bd-46a4-9e88-9534d9c60b4a?source=cve
Metrics		cvssV3_1 `{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}`

Subscriptions

Wordpress Wordpress

Wpchill Image Photo Gallery Final Tiles Grid

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2025-11-15T05:45:34.066Z

Updated: 2026-04-08T17:22:06.207Z

Reserved: 2025-10-29T20:58:17.650Z

Link: CVE-2025-12494

Vulnrichment

Updated: 2025-11-17T18:46:16.056Z

NVD

Status : Deferred

Published: 2025-11-15T06:15:42.213

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-12494

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-21T01:45:24Z

Weaknesses

CWE-285

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object