Vulnerabilities and security researches formodula-best-grid-gallery modula-best-grid-gallery
Direction: descendingCustomizable WordPress Gallery Plugin – Modula Image Gallery # CVE-2025-14003
- CVE, Research URL
- Home page URL
-
Security reports for Customizable WordPress Gallery Plugin – Modula Image Gallery
- Date
- Dec 15, 2025
- Research Description
- The Image Gallery – Photo Grid & Video Gallery plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `add_images_to_gallery_callback()` function in all versions up to, and including, 2.13.3. This makes it possible for authenticated attackers, with Author-level access and above, to add images to arbitrary Modula galleries owned by other users.
- Affected versions
-
max 2.13.4.
- Status
-
vulnerable
Customizable WordPress Gallery Plugin – Modula Image Gallery # CVE-2025-13891
- CVE, Research URL
- Home page URL
-
Security reports for Customizable WordPress Gallery Plugin – Modula Image Gallery
- Date
- Dec 12, 2025
- Research Description
- The Image Gallery – Photo Grid & Video Gallery plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 2.13.3. This is due to the modula_list_folders AJAX endpoint that lacks proper path validation and base directory restrictions. While the endpoint verifies user capabilities (Author+ with upload_files and edit_posts permissions), it fails to validate that user-supplied directory paths reside within safe directories. This makes it possible for authenticated attackers, with Author-level access and above, to enumerate arbitrary directories on the server via the modula_list_folders endpoint.
- Affected versions
-
max 2.13.4.
- Status
-
vulnerable
Customizable WordPress Gallery Plugin – Modula Image Gallery # CVE-2025-13646
- CVE, Research URL
- Home page URL
-
Security reports for Customizable WordPress Gallery Plugin – Modula Image Gallery
- Date
- Dec 03, 2025
- Research Description
- The Modula Image Gallery plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'ajax_unzip_file' function in versions 2.13.1 to 2.13.2. This makes it possible for authenticated attackers, with Author-level access and above, to upload arbitrary files with race condition on the affected site's server which may make remote code execution possible.
- Affected versions
-
max 2.13.3.
- Status
-
vulnerable
Customizable WordPress Gallery Plugin – Modula Image Gallery # CVE-2025-12494
- CVE, Research URL
- Home page URL
-
Security reports for Customizable WordPress Gallery Plugin – Modula Image Gallery
- Date
- Nov 15, 2025
- Research Description
- The Image Gallery – Photo Grid & Video Gallery plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the ajax_import_file function in all versions up to, and including, 2.12.28. This makes it possible for authenticated attackers, with author-level access and above, to move arbitrary image files on the server.
- Affected versions
-
max 2.12.29.
- Status
-
vulnerable
Customizable WordPress Gallery Plugin – Modula Image Gallery # CVE-2025-13645
- CVE, Research URL
- Home page URL
-
Security reports for Customizable WordPress Gallery Plugin – Modula Image Gallery
- Date
- Dec 03, 2025
- Research Description
- The Modula Image Gallery plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'ajax_unzip_file' function in versions 2.13.1 to 2.13.2. This makes it possible for authenticated attackers, with Author-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
- Affected versions
-
max 2.13.3.
- Status
-
vulnerable
Customizable WordPress Gallery Plugin – Modula Image Gallery # CVE-2024-9416
- CVE, Research URL
- Home page URL
-
Security reports for Customizable WordPress Gallery Plugin – Modula Image Gallery
- Date
- Apr 03, 2025
- Research Description
- The Modula Image Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's bundled FancyBox JavaScript library (versions <= 5.0.36) due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
- Affected versions
-
max 2.10.2.
- Status
-
vulnerable
Customizable WordPress Gallery Plugin – Modula Image Gallery # CVE-2024-12853
- CVE, Research URL
- Home page URL
-
Security reports for Customizable WordPress Gallery Plugin – Modula Image Gallery
- Date
- Jan 08, 2025
- Research Description
- The Modula Image Gallery plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the zip upload functionality in all versions up to, and including, 2.11.10. This makes it possible for authenticated attackers, with Author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
- Affected versions
-
max 2.11.11.
- Status
-
vulnerable
Customizable WordPress Gallery Plugin – Modula Image Gallery # CVE-2020-9003
- CVE, Research URL
- Home page URL
-
Security reports for Customizable WordPress Gallery Plugin – Modula Image Gallery
- Date
- Feb 21, 2020
- Research Description
- A stored XSS vulnerability exists in the Modula Image Gallery plugin before 2.2.5 for WordPress. Successful exploitation of this vulnerability would allow an authenticated low-privileged user to inject arbitrary JavaScript code that is viewed by other users.
- Affected versions
-
max 2.6.7.
- Status
-
vulnerable
Customizable WordPress Gallery Plugin – Modula Image Gallery # CVE-2022-41135
- CVE, Research URL
- Home page URL
-
Security reports for Customizable WordPress Gallery Plugin – Modula Image Gallery
- Date
- Nov 19, 2022
- Research Description
- Unauth. Plugin Settings Change vulnerability in Modula plugin <= 2.6.9 on WordPress.
- Affected versions
-
max 2.6.91.
- Status
-
vulnerable