Description
The WP AUDIO GALLERY plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in all versions up to, and including, 2.0. This is due to the `wpag_uploadaudio_callback()` AJAX handler not properly validating user-supplied file paths in the `audio_upload` parameter before passing them to `unlink()`. This makes it possible for authenticated attackers, with subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when critical files like wp-config.php are deleted.
Published: 2025-11-21
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary File Deletion that can lead to Remote Code Execution from an authenticated subscriber or higher
Action: Immediate Patch
AI Analysis

Impact

The WP AUDIO GALLERY plugin suffers from a flaw where it fails to validate the file path supplied in the audio_upload parameter before calling unlink(). This weakness allows an authenticated user with subscriber-level permissions or higher to delete any file on the hosting server. The deletion of critical files such as wp-config.php could enable attackers to execute arbitrary code against the WordPress installation. The vulnerability is specific to the wpag_uploadaudio_callback() AJAX handler and results in loss of data integrity, potential availability issues, and, if critical files are removed, remote code execution. The principal weakness aligns with CWE‑73, which represents Improper Restriction of Operations within the Bounds of a File System Path, allowing unauthorized file deletion due to inadequate path validation.

Affected Systems

The vulnerability affects all installations of the WP AUDIO GALLERY plugin by husainali52 with versions 2.0 or earlier. Upgrades beyond 2.0 are assumed to have addressed the missing path validation and should no longer expose the flaw.

Risk and Exploitability

The CVSS score of 8.1 indicates a high severity, while the EPSS score of less than 1% suggests that exploitation attempts may be rare. The issue is not listed in CISA’s KEV catalog, but the nature of the flaw and the potential for remote code execution mean that an attacker with subscriber-level access— a relatively low privilege threshold— can pose a significant threat. The attack vector is a web‑based AJAX call that requires a valid authenticated session; an attacker would need to authenticate and then supply a crafted audio_upload parameter to target arbitrary file paths.

Generated by OpenCVE AI on April 22, 2026 at 21:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the WP AUDIO GALLERY plugin to the latest version (2.1 or later) which removes the unchecked file path deletion flaw.
  • If an upgrade cannot be performed immediately, restrict or disable the wpag_uploadaudio_callback() AJAX endpoint for subscriber-level users, for example by adding an .htaccess rule or a plugin‑level permission check that blocks the operation for non‑admin roles.
  • Implement file integrity monitoring or a web‑application firewall to detect and block attempts to delete or modify critical WordPress files such as wp-config.php.

Generated by OpenCVE AI on April 22, 2026 at 21:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 24 Nov 2025 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Husainali52
Husainali52 wp Audio Gallery
Wordpress
Wordpress wordpress
Vendors & Products Husainali52
Husainali52 wp Audio Gallery
Wordpress
Wordpress wordpress

Fri, 21 Nov 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 21 Nov 2025 07:45:00 +0000

Type Values Removed Values Added
Description The WP AUDIO GALLERY plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in all versions up to, and including, 2.0. This is due to the `wpag_uploadaudio_callback()` AJAX handler not properly validating user-supplied file paths in the `audio_upload` parameter before passing them to `unlink()`. This makes it possible for authenticated attackers, with subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when critical files like wp-config.php are deleted.
Title WP AUDIO GALLERY <= 2.0 - Authenticated (Subscriber+) Arbitrary File Deletion via 'audio_upload' Parameter
Weaknesses CWE-73
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H'}

Subscriptions

Husainali52 Wp Audio Gallery
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:35:54.131Z

Reserved: 2025-11-17T15:56:27.933Z

Link: CVE-2025-13322

cve-icon Vulnrichment

Updated: 2025-11-21T14:53:55.108Z

cve-icon NVD

Status : Deferred

Published: 2025-11-21T08:15:55.660

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-13322

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T21:15:27Z

Weaknesses