How to fix CVE-2025-49451?

Within 24 hours: Audit all WordPress installations for Aeroscroll Gallery plugin presence and document affected systems. Within 7 days: Disable or deactivate the Aeroscroll Gallery plugin across all environments if not critical to operations; if essential, implement WAF rules to block path traversal patterns (../ and encoded variants). Within 30 days: Monitor vendor for security patches and plan controlled re-enablement or plugin replacement with alternative gallery solutions.

CVE-2025-49451

EUVD-2025-28308 HIGH

2025-06-17 [email protected]

7.5

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Lifecycle Timeline

Analysis Generated

Mar 14, 2026 - 22:15 vuln.today

EUVD ID Assigned

Mar 14, 2026 - 22:15 euvd

EUVD-2025-28308

CVE Published

Jun 17, 2025 - 15:15 nvd

HIGH 7.5

Description

Path Traversal vulnerability in yannisraft Aeroscroll Gallery - Infinite Scroll Image Gallery & Post Grid with Photo Gallery allows Path Traversal. This issue affects Aeroscroll Gallery - Infinite Scroll Image Gallery & Post Grid with Photo Gallery: from n/a through 1.0.12.

Analysis

A Path Traversal vulnerability (CWE-35) exists in the Aeroscroll Gallery WordPress plugin (versions through 1.0.12) that allows unauthenticated remote attackers to access arbitrary files on the server, potentially exposing sensitive configuration files, database credentials, and other confidential data. The vulnerability has a CVSS score of 7.5 (High) with network accessibility and no authentication required, making it a significant information disclosure risk for all installations of affected versions.

Technical Context

The vulnerability resides in the yannisraft Aeroscroll Gallery plugin, a WordPress image gallery and post grid extension that implements infinite scroll functionality. Path Traversal (CWE-35) vulnerabilities occur when an application fails to properly sanitize user-supplied file path inputs, allowing attackers to manipulate path variables (typically using sequences like '../' or '..\') to traverse directory structures and access files outside the intended directory. In the context of a WordPress plugin, this likely affects file retrieval endpoints or API handlers that process image/gallery paths without adequate input validation. The plugin's architecture appears to handle file operations for gallery content delivery, and the lack of proper path canonicalization or whitelist validation enables directory traversal attacks. Affected CPE would be: cpe:2.3:a:yannisraft:aeroscroll-gallery:*:*:*:*:*:wordpress:*:* (versions 0 through 1.0.12).

Affected Products

Aeroscroll Gallery – Infinite Scroll Image Gallery & Post Grid with Photo Gallery (0 through 1.0.12 (inclusive))

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.1

CVSS: +38

POC: 0

CVE-2025-49451 vulnerability details – vuln.today

Back

CVE-2025-49451

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Priority Score

Share

CVE-2025-49451

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Priority Score

Share

External POC / Exploit Code