CVE-2025-13891 impacts the WordPress plugin Image Gallery – Photo Grid & Video Gallery (Modula) and is a path traversal / directory enumeration weakness in the plugin’s “file browser” AJAX functionality. The public CVE records describe that all versions up to and including 2.13.3 are affected, and that the vulnerable AJAX endpoint is modula_list_folders, which accepts a user-supplied directory path and fails to enforce a safe base directory restriction, enabling an authenticated user to enumerate arbitrary server directories.
| CVE | CVE-2025-13891 |
| Plugin Version | Image Gallery – Photo Grid & Video Gallery (Modula) <= 2.13.3 |
| All Time | 5 686 864 |
| Active installations | 100 000+ |
| Publicly Published | December 11, 2025 |
| Last Updated | December 11, 2025 |
| Researcher | Dmitrii Ignatyev |
| PoC | Yes |
| Exploit | No |
| Reference | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-13891 https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/modula-best-grid-gallery/image-gallery-photo-grid-video-gallery-modula-2133-missing-authorization-to-arbitrary-directory-listing |
| Plugin Security Certification by CleanTalk |  |
| Logo of the plugin |  |
PSC by CleantalkJoin the community of developers who prioritize security. Highlight your plugin in the WordPress catalog.
Timeline
| October 22, 2025 | Plugin testing and vulnerability detection in the Modula Image Gallery – Photo Grid & Video Gallery have been completed |
| October 22, 2025 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
| December 11, 2025 | Registered CVE-2025-13891 |
Discovery of the Vulnerability
The underlying design flaw is straightforward: the plugin exposes an administrative UX for browsing folders during gallery creation, but the server-side implementation accepts a user-supplied absolute path and performs directory operations on it without a robust “allowed roots” policy. NVD’s summary explicitly states the modula_list_folders endpoint “lacks proper path validation and base directory restrictions,” enabling authenticated attackers with Author-level access (or above) to enumerate arbitrary directories readable by the PHP process. In other words, the handler’s checks answer only “is the requester an Author?” and “does the path exist and is it readable?”, but never answers the security-critical question “is this path inside the only directories we intended to expose?” – and that missing guardrail is what turns a convenience file browser into a traversal primitive.
Understanding of Directory Enumeration / Path Traversal attack’s
In WordPress, “directory enumeration” is not merely informational trivia; it often becomes a force multiplier for follow-on exploitation. Once an attacker can list directories outside uploads, they can quickly map the server layout (document roots, adjacent virtual hosts, shared hosting user homes, plugin/theme directories, backup folders, deployment artifacts), which reduces guesswork for other attacks and helps identify targets like mislocated backups, exposed logs, or misconfigured writable paths. Even when the endpoint only returns folder names (not file contents), it still reveals structure that defenders typically assume is opaque from the web, such as /var/www/…, /home/<user>/…, or application-specific paths that indicate framework versions, caching layers, or container mounts. This is why CVE-2025-13891 is tracked as a Path Traversal weakness (CWE-22) in the public record: it breaks a fundamental isolation boundary between “web application feature” and “arbitrary server filesystem surface.”
Exploiting the Directory Enumeration / Path Traversal Vulnerability
To exploit CVE-2025-13891, an attacker with Author+ cookies:
POC:
POST /wordpress/wp-admin/admin-ajax.php HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Referer: http://127.0.0.1/wordpress/wp-admin/edit.php?post_type=modula-gallery Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 65 Origin: http://127.0.0.1 DNT: 1 Sec-GPC: 1 Connection: keep-alive Cookie: AUTHOR+ Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin action=modula_list_folders&security=modulaGalleryUpload.security_from_http://127.0.0.1/wordpress/wp-admin/post-new.php?post_type=modula-gallery&post_ID=1402&path=/var/www/html____
The immediate impact is a confidentiality breach of server structure: an Author can inventory sensitive directories and infer deployment layout, which is especially damaging in shared hosting or multi-tenant environments where neighboring vhosts and user homes may be visible. NVD’s CNA-provided CVSS vector reflects this as a network-reachable issue with low privileges required and high confidentiality impact (because directory enumeration can expose sensitive environmental information). In practice, this vulnerability is often exploited as a “reconnaissance accelerator”: attackers use it to locate backup directories (/backups, /old, /staging), identify where logs are stored, confirm whether other applications exist on the same host, and determine whether other vulnerabilities (LFI, arbitrary file read, exposed debug endpoints, misconfigured permissions) are likely to be present. Even if Modula itself does not provide file reads, knowing exactly what exists and where can reduce the time-to-compromise dramatically, and it also increases the precision of extortion/sabotage attempts because attackers can point to concrete server artifacts during pressure campaigns.
Recommendations for Improved Security
The correct remediation is to enforce strict base-path restriction with canonicalization, not just “is readable.” At minimum, the server should realpath() the provided path and enforce that it begins with an allow-listed root (typically the WordPress uploads directory, and optionally a plugin-managed import directory), rejecting anything outside those bounds. This “normalize then prefix-check” pattern is what prevents traversal via symlinks and path tricks; without it, any “file browser” endpoint becomes a de facto filesystem oracle. From a deployment perspective, site owners should update to a fixed version as soon as available; third-party tracking indicates a fix in 2.13.4 for the “missing authorization to arbitrary directory listing” class of issue. As a compensating control, reduce the number of Author accounts (or downgrade untrusted contributors), and consider WAF rules blocking admin-ajax.php requests to action=modula_list_folders unless sourced from trusted admin IPs—this doesn’t replace patching, but it can reduce exposure during rollout windows. Finally, treat any plugin “import from server / browse server folders” feature as high-risk in security reviews: these endpoints routinely sit at the boundary between application logic and OS filesystem, where mistakes tend to be high impact.
By taking proactive measures to address Directory Enumeration / Path Traversal vulnerabilities like CVE-2025-13922 WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.
#WordPressSecurity #Directory Enumeration / Path Traversal #WebsiteSafety #StayProtected #HighVulnerability
Use CleanTalk solutions to improve the security of your website
Dmitrii I.