Introduction
Deleting a single file can hand over control of a WordPress site to an attacker. CVE-2025-13322 in the WP AUDIO GALLERY plugin demonstrates how insufficient file path validation can allow even low-privileged users to compromise an entire installation. This brief summary covers the technical mechanism, affected versions, and references for further investigation.
WP AUDIO GALLERY is a plugin available in the official WordPress repository, designed to add audio playback and playlist management features to WordPress sites. Its user base is not as large as some of the most popular plugins, but it is present in production environments and subject to the same security expectations as any plugin in the WordPress ecosystem.
Technical Information
CVE-2025-13322 affects all versions of WP AUDIO GALLERY up to and including 2.0. The vulnerability is rooted in the wpag_uploadaudio_callback() AJAX handler. This handler is accessible to any authenticated user via the admin-ajax.php endpoint. It processes the audio_upload parameter, which is intended to specify the path of an uploaded audio file.
The core flaw is that the handler does not validate or sanitize the user-supplied file path before passing it to PHP's unlink() function. This allows attackers to supply directory traversal sequences (such as ../) in the audio_upload parameter, enabling deletion of arbitrary files on the server. For example, an attacker could target wp-config.php in the WordPress root directory, causing the site to enter installation mode and allowing the attacker to take over the site.
Relevant vulnerable code locations are publicly documented:
The root cause is a classic example of CWE-73: External Control of File Name or Path (CWE-73). The plugin fails to restrict file operations to a safe directory, and does not check for traversal patterns in user input.
Affected Systems and Versions
All versions of WP AUDIO GALLERY up to and including 2.0 are affected. The vulnerability is present regardless of configuration, as long as the plugin is active and subscriber-level users are permitted to authenticate.
Vendor Security History
WP AUDIO GALLERY has not been widely reported for major security incidents prior to this CVE. However, arbitrary file deletion vulnerabilities have been observed in other WordPress plugins, often due to similar input validation oversights. The plugin's response to this vulnerability and future patching practices will be important indicators of its security maturity.
