Overview
The NextGEN Gallery plugin for WordPress has been discovered to contain a severe security vulnerability that could allow unauthenticated attackers to delete arbitrary directories on the server. This vulnerability, designated as CVE-2025-7641, affects all versions up to and including 1.0.9 of the plugin, and poses a significant risk to WordPress websites that utilize this plugin. The potential damage of this vulnerability includes system compromise and data leakage.
Vulnerability Summary
CVE ID: CVE-2025-7641
Severity: High (7.5)
Attack Vector: Network
Privileges Required: None
User Interaction: None
Impact: Potential system compromise or data leakage
Affected Products
Product | Affected Versions
NextGEN Gallery Plugin for WordPress | Up to and including 1.0.9
How the Exploit Works
The vulnerability lies in the insufficient file path validation in the /wp-json/nextgenassistant/v1.0.0/control REST endpoint, which allows attackers to delete arbitrary directories on the server. Unauthenticated attackers can send malicious requests to this endpoint to exploit the vulnerability and cause a complete loss of availability on the server.
Conceptual Example Code
Below is a conceptual example of how this vulnerability might be exploited. This is a sample HTTP DELETE request that targets the vulnerable REST endpoint:
DELETE /wp-json/nextgenassistant/v1.0.0/control?dir=/var/www/html/ HTTP/1.1
Host: target.example.com
By sending this request, an attacker could potentially delete the entire `/var/www/html/` directory on the server, causing a complete loss of availability.
Mitigation Guidance
The recommended mitigation strategy is to apply the vendor patch as soon as it becomes available. If the patch is not immediately available, a Web Application Firewall (WAF) or Intrusion Detection System (IDS) can be used as temporary mitigation. Regularly updating and patching software is crucial to maintaining the security integrity of your systems.
