CVE-2025-13322

High

Published: 21 November 2025

Published

21 November 2025

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 8.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

EPSS Score 0.0034 56.8th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Description

The WP AUDIO GALLERY plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in all versions up to, and including, 2.0. This is due to the `wpag_uploadaudio_callback()` AJAX handler not properly validating user-supplied file…

paths in the `audio_upload` parameter before passing them to `unlink()`. This makes it possible for authenticated attackers, with subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when critical files like wp-config.php are deleted.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Requires validation of user-supplied file paths in the audio_upload parameter to prevent arbitrary file deletion via the vulnerable wpag_uploadaudio_callback() AJAX handler.

SI-2 Flaw Remediation good match

prevent

Mandates identification, reporting, testing, and remediation of the insufficient path validation flaw in the WP AUDIO GALLERY plugin up to version 2.0.

AC-3 Access Enforcement partial match

prevent

Enforces logical access controls to restrict subscriber-level users from deleting arbitrary server files outside intended plugin directories.

Security SummaryAI

CVE-2025-13322 is an arbitrary file deletion vulnerability in the WP AUDIO GALLERY plugin for WordPress, affecting all versions up to and including 2.0. The issue arises from insufficient file path validation in the `wpag_uploadaudio_callback()` AJAX handler, which processes the `audio_upload` parameter without proper checks before passing it to the `unlink()` function. Published on 2025-11-21, it carries a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H) and maps to CWE-73 (External Control of File Name or Path).

Authenticated attackers with subscriber-level access or higher can exploit this vulnerability remotely via the AJAX endpoint. By supplying a crafted file path in the `audio_upload` parameter, they can delete arbitrary files on the server. This capability enables severe impacts, such as deleting critical files like wp-config.php, which can facilitate remote code execution.

Advisories reference vulnerable code locations in the plugin's 2.0 tag on WordPress trac (lines 150, 513, and 607 in wp-audio-gallery.php) and a Wordfence threat intelligence report. No patches are detailed for the affected versions up to 2.0.

Details

CWE(s): CWE-73

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1070.004 File Deletion Stealth

Adversaries may delete files left behind by the actions of their intrusion activity.

attack.mitre.org →

Why these techniques?

Exploitation of public-facing WordPress plugin vulnerability (T1190) directly enables arbitrary file deletion (T1070.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://plugins.trac.wordpress.org/browser/wp-audio-gallery/tags/2.0/wp-audio-gallery.php#L150
security@wordfence.com
https://plugins.trac.wordpress.org/browser/wp-audio-gallery/tags/2.0/wp-audio-gallery.php#L513
security@wordfence.com
https://plugins.trac.wordpress.org/browser/wp-audio-gallery/tags/2.0/wp-audio-gallery.php#L607
security@wordfence.com
https://www.wordfence.com/threat-intel/vulnerabilities/id/101675ae-88cf-42fc-b9ea-5dd37cdf7464?source=cve
security@wordfence.com