How to fix CVE-2025-13646?

Within 24 hours: Identify all WordPress installations using Modula Image Gallery versions 2.13.1-2.13.2 and restrict Author-level access to trusted personnel only. Within 7 days: Apply the vendor patch to all affected installations or disable the plugin entirely if patching is not feasible. Within 30 days: Conduct a security audit of user accounts with Author-level permissions and review file upload logs for suspicious activity during the vulnerability window.

Is Modula Image Gallery affected by CVE-2025-13646?

The Modula Image Gallery WordPress plugin contains a critical file upload vulnerability that could allow authenticated users with Author-level permissions to upload malicious files and potentially execute code on affected servers.

CVE-2025-13646

EUVD-2025-200723 HIGH

2025-12-03 [email protected]

7.5

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 15, 2026 - 16:14 vuln.today

EUVD ID Assigned

Mar 15, 2026 - 16:14 euvd

EUVD-2025-200723

Patch Released

Mar 15, 2026 - 16:14 nvd

Patch available

CVE Published

Dec 03, 2025 - 03:16 nvd

HIGH 7.5

Description

The Modula Image Gallery plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'ajax_unzip_file' function in versions 2.13.1 to 2.13.2. This makes it possible for authenticated attackers, with Author-level access and above, to upload arbitrary files with race condition on the affected site's server which may make remote code execution possible.

Analysis

Technical Context

Unrestricted file upload allows attackers to upload malicious files (web shells, executables) that can then be executed on the server. This vulnerability is classified as Unrestricted Upload of File with Dangerous Type (CWE-434).

Affected Products

Affected products: Wpchill Modula Image Gallery

Remediation

A vendor patch is available — apply it immediately. Validate file types by content (magic bytes), not just extension. Store uploads outside the web root. Use random filenames. Scan uploads for malware.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.3

CVSS: +38

POC: 0

CVE-2025-13646 vulnerability details – vuln.today

Back

CVE-2025-13646

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

CVE-2025-13646

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

External POC / Exploit Code