CVE-2025-13322

High

Published: 21 November 2025

Published

21 November 2025

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 8.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

EPSS Score 0.0034 56.9th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-13322 is a high-severity External Control of File Name or Path (CWE-73) vulnerability in Wordpress (inferred from references). Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 43.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Requires validation of user-supplied file paths in the audio_upload parameter to prevent arbitrary file deletion via the vulnerable wpag_uploadaudio_callback() AJAX handler.

SI-2 Flaw Remediation good match

prevent

Mandates identification, reporting, testing, and remediation of the insufficient path validation flaw in the WP AUDIO GALLERY plugin up to version 2.0.

AC-3 Access Enforcement partial match

prevent

Enforces logical access controls to restrict subscriber-level users from deleting arbitrary server files outside intended plugin directories.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1070.004 File Deletion Stealth

Adversaries may delete files left behind by the actions of their intrusion activity.

attack.mitre.org →

Why these techniques?

Exploitation of public-facing WordPress plugin vulnerability (T1190) directly enables arbitrary file deletion (T1070.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

The WP AUDIO GALLERY plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in all versions up to, and including, 2.0. This is due to the `wpag_uploadaudio_callback()` AJAX handler not properly validating user-supplied file…

paths in the `audio_upload` parameter before passing them to `unlink()`. This makes it possible for authenticated attackers, with subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when critical files like wp-config.php are deleted.

Deeper analysisAI

CVE-2025-13322 is an arbitrary file deletion vulnerability in the WP AUDIO GALLERY plugin for WordPress, affecting all versions up to and including 2.0. The issue arises from insufficient file path validation in the `wpag_uploadaudio_callback()` AJAX handler, which processes the `audio_upload` parameter without proper checks before passing it to the `unlink()` function. Published on 2025-11-21, it carries a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H) and maps to CWE-73 (External Control of File Name or Path).

Authenticated attackers with subscriber-level access or higher can exploit this vulnerability remotely via the AJAX endpoint. By supplying a crafted file path in the `audio_upload` parameter, they can delete arbitrary files on the server. This capability enables severe impacts, such as deleting critical files like wp-config.php, which can facilitate remote code execution.

Advisories reference vulnerable code locations in the plugin's 2.0 tag on WordPress trac (lines 150, 513, and 607 in wp-audio-gallery.php) and a Wordfence threat intelligence report. No patches are detailed for the affected versions up to 2.0.