Plattform
wordpress
Komponente
assistant-for-nextgen-gallery
Behoben in
1.0.10
CVE-2025-7641 is a high-severity vulnerability affecting the Assistant for NextGEN Gallery WordPress plugin. It allows unauthenticated attackers to delete arbitrary directories on the server due to inadequate file path validation within the plugin's REST API. This vulnerability impacts versions 1.0.0 through 1.0.9 and can result in a complete loss of site availability. A fix is expected from the plugin developer.
The arbitrary directory deletion capability presented by CVE-2025-7641 poses a significant threat to WordPress websites utilizing the vulnerable plugin. An attacker can leverage this vulnerability to delete critical system files, configuration files, or even the entire WordPress installation, effectively rendering the website inaccessible. The lack of authentication required for exploitation significantly broadens the attack surface, making it accessible to a wide range of malicious actors. The potential for complete website downtime and data loss makes this a high-impact vulnerability.
CVE-2025-7641 was publicly disclosed on 2025-08-15. The vulnerability's simplicity and lack of authentication requirements suggest a high probability of exploitation. No public proof-of-concept (PoC) code has been publicly released as of this writing, but the ease of exploitation makes it likely that PoCs will emerge. The vulnerability is not currently listed on the CISA KEV catalog.
Websites utilizing the Assistant for NextGEN Gallery plugin, particularly those running older, unpatched versions (1.0.0–1.0.9), are at significant risk. Shared hosting environments where users have limited control over plugin updates are especially vulnerable. Sites with weak WordPress security configurations or inadequate firewall protection are also at increased risk.
• wordpress / composer / npm:
grep -r 'nextgenassistant/v1.0.0/control' /var/www/html/wp-content/plugins/• generic web:
curl -I https://your-wordpress-site.com/wp-json/nextgenassistant/v1.0.0/controlCheck the response headers for any unusual or unexpected behavior. • wordpress / composer / npm:
wp plugin list | grep nextgenassistantVerify the installed version is patched. • wordpress / composer / npm:
wp plugin auto-update nextgenassistantAttempt to automatically update the plugin to the latest version.
disclosure
Exploit-Status
EPSS
0.14% (33% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2025-7641 is to upgrade the Assistant for NextGEN Gallery plugin to a patched version as soon as it becomes available. In the interim, website administrators can implement several workarounds. A Web Application Firewall (WAF) can be configured to block requests to the /wp-json/nextgenassistant/v1.0.0/control endpoint or to enforce stricter file path validation. Additionally, restricting file permissions on sensitive directories can limit the impact of a successful attack. After upgrading, confirm the vulnerability is resolved by attempting a directory deletion request through the affected endpoint and verifying that it is rejected.
Actualice el plugin Assistant for NextGEN Gallery a la última versión disponible para mitigar la vulnerabilidad de eliminación arbitraria de directorios. Verifique la página de plugins de WordPress para obtener la actualización más reciente. Considere implementar medidas de seguridad adicionales, como limitar los permisos de los usuarios y monitorear la actividad del servidor.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-7641 is a high-severity vulnerability in the Assistant for NextGEN Gallery WordPress plugin that allows unauthenticated attackers to delete arbitrary directories on the server due to insufficient file path validation.
You are affected if you are using Assistant for NextGEN Gallery versions 1.0.0 through 1.0.9. Check your plugin version and upgrade immediately if vulnerable.
Upgrade the Assistant for NextGEN Gallery plugin to a patched version as soon as it becomes available. Implement temporary workarounds like restricting access to the vulnerable REST endpoint until the patch is applied.
As of 2025-08-15, there are no known public exploits or active campaigns targeting CVE-2025-7641, but it's crucial to apply the fix promptly.
Check the official Assistant for NextGEN Gallery website and WordPress plugin repository for updates and security advisories related to CVE-2025-7641.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.