A high-severity vulnerability exists within the Modula Image Gallery plugin for WordPress, allowing an authenticated attacker to delete arbitrary files on the server. Successful exploitation could lead to a complete denial of service by deleting critical system files, causing the entire website to become inoperable and potentially leading to data loss.

The vulnerability is a Path Traversal issue within the ajax_unzip_file function. This function fails to properly sanitize or validate the file paths provided by a user when processing a file operation. An authenticated attacker can submit a specially crafted request containing directory traversal sequences (e.g., ../../..) to target and delete files outside of the intended plugin directory. This allows the attacker to delete critical WordPress core files, such as wp-config.php, .htaccess, or any other file the web server process has permission to delete.

This vulnerability is rated as High severity with a CVSS score of 7.2. A successful attack could have a significant business impact, including a complete denial of service if core configuration or application files are deleted, rendering the website inaccessible to customers and staff. This can lead to direct revenue loss, reputational damage, and significant effort required for site restoration from backups. Deleting security-related files (like .htaccess) could also disable important security controls, potentially exposing the site to further, more severe attacks.

Immediate Action: Immediately update the Modula Image Gallery plugin to the latest version provided by the vendor, which contains a patch for this vulnerability. As a best practice, review all installed WordPress plugins and themes; disable and remove any that are no longer needed to reduce the overall attack surface.

Proactive Monitoring: Monitor web server access logs for suspicious POST requests to wp-admin/admin-ajax.php that contain the ajax_unzip_file action and directory traversal payloads (../). Implement File Integrity Monitoring (FIM) to generate alerts for any unauthorized deletion or modification of critical files like wp-config.php, index.php, and files within the /wp-includes/ directory.

Compensating Controls: If patching cannot be performed immediately, implement a Web Application Firewall (WAF) with rules specifically designed to detect and block path traversal attacks in request parameters. Harden web server file permissions to ensure the user account running the web server cannot delete files outside of its designated directories (e.g., /wp-content/uploads). Restrict access to the WordPress admin panel to trusted IP addresses.

Public Exploit Available: false

Given the high severity (CVSS 7.2) and the potential for a complete denial of service, it is strongly recommended that organizations apply the vendor-supplied patch to the Modula Image Gallery plugin on an emergency basis. Although this CVE is not currently listed on the CISA KEV list, its impact is critical. If patching is delayed for any reason, the compensating controls outlined above, particularly the use of a WAF and file permission hardening, should be implemented immediately to mitigate the risk.