What is the CVSS score of CVE-2025-13646?

CVE-2025-13646 has a CVSS 3.1 base score of 7.5 (High). CVSS vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.3%.

Which versions of Modula Image Gallery are affected by CVE-2025-13646?

The Modula Image Gallery WordPress plugin contains a critical file upload vulnerability that could allow authenticated users with Author-level permissions to upload malicious files and potentially…. A patch is available.

How to fix or mitigate CVE-2025-13646?

Within 24 hours: Identify all WordPress installations using Modula Image Gallery versions 2.13.1-2.13.2 and restrict Author-level access to trusted personnel only. Within 7 days: Apply the vendor patch to all affected installations or disable the plugin entirely if patching is not feasible. Within 30 days: Conduct a security audit of user accounts with Author-level permissions and review file upload logs for suspicious activity during the vulnerability window.

Modula Image Gallery CVE-2025-13646

EUVD-2025-200723 HIGH

Unrestricted Upload of File with Dangerous Type (CWE-434)

2025-12-03 security@wordfence.com

File Upload WordPress RCE Modula Image Gallery PHP

7.5

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

7.5 HIGH

AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

EUVD ID Assigned

Mar 15, 2026 - 16:14 euvd

EUVD-2025-200723

Analysis Generated

Mar 15, 2026 - 16:14 vuln.today

Patch released

Mar 15, 2026 - 16:14 nvd

Patch available

CVE Published

Dec 03, 2025 - 03:16 nvd

HIGH 7.5

DescriptionCVE.org

The Modula Image Gallery plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'ajax_unzip_file' function in versions 2.13.1 to 2.13.2. This makes it possible for authenticated attackers, with Author-level access and above, to upload arbitrary files with race condition on the affected site's server which may make remote code execution possible.

Analysis

Technical ContextAI

Unrestricted file upload allows attackers to upload malicious files (web shells, executables) that can then be executed on the server. This vulnerability is classified as Unrestricted Upload of File with Dangerous Type (CWE-434).

RemediationAI

A vendor patch is available — apply it immediately. Validate file types by content (magic bytes), not just extension. Store uploads outside the web root. Use random filenames. Scan uploads for malware.

CVE-2025-13646 vulnerability details – vuln.today

Back

Modula Image Gallery CVE-2025-13646

Severity by source

CVSS VectorNVD

Lifecycle Timeline

DescriptionCVE.org

Analysis

Technical ContextAI

RemediationAI

Share

External POC / Exploit Code