Platform
wordpress
Component
assistant-for-nextgen-gallery
Fixed in
1.0.10
CVE-2025-7641 is a high-severity vulnerability affecting the Assistant for NextGEN Gallery WordPress plugin. It allows unauthenticated attackers to delete arbitrary directories on the server due to inadequate file path validation within the plugin's REST API. This vulnerability impacts versions 1.0.0 through 1.0.9 and can result in a complete loss of site availability. A fix is expected from the plugin developer.
The vulnerability lies in the /wp-json/nextgenassistant/v1.0.0/control REST endpoint, where insufficient validation of user-supplied file paths allows attackers to manipulate the deletion process. An attacker could craft a malicious request to delete critical system directories, effectively rendering the WordPress site inoperable. The impact extends beyond simple file deletion; a successful attack could lead to data loss, service disruption, and potential compromise of the underlying server if the attacker gains access to sensitive configuration files or system resources. This vulnerability is particularly concerning given the plugin's popularity and the potential for widespread exploitation.
CVE-2025-7641 was publicly disclosed on 2025-08-15. Currently, there are no known public exploits or active campaigns targeting this vulnerability. The EPSS score is pending evaluation. It is recommended to monitor security advisories and threat intelligence feeds for any updates regarding exploitation attempts.
Exploit Status
EPSS
0.14% (33% percentile)
CISA SSVC
CVSS Vector
The primary mitigation is to immediately upgrade the Assistant for NextGEN Gallery plugin to a patched version when available. Until a patch is released, consider implementing temporary workarounds. These include restricting access to the /wp-json/nextgenassistant/v1.0.0/control endpoint using a WordPress firewall or security plugin. Additionally, review and harden file permissions on the WordPress installation to limit the potential damage from a successful attack. Monitor WordPress access logs for suspicious activity related to the affected endpoint. After upgrading, confirm the vulnerability is resolved by attempting a directory deletion request through the REST API and verifying that it is properly rejected.
Actualice el plugin Assistant for NextGEN Gallery a la última versión disponible para mitigar la vulnerabilidad de eliminación arbitraria de directorios. Verifique la página de plugins de WordPress para obtener la actualización más reciente. Considere implementar medidas de seguridad adicionales, como limitar los permisos de los usuarios y monitorear la actividad del servidor.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-7641 is a high-severity vulnerability in the Assistant for NextGEN Gallery WordPress plugin that allows unauthenticated attackers to delete arbitrary directories on the server due to insufficient file path validation.
You are affected if you are using Assistant for NextGEN Gallery versions 1.0.0 through 1.0.9. Check your plugin version and upgrade immediately if vulnerable.
Upgrade the Assistant for NextGEN Gallery plugin to a patched version as soon as it becomes available. Implement temporary workarounds like restricting access to the vulnerable REST endpoint until the patch is applied.
As of 2025-08-15, there are no known public exploits or active campaigns targeting CVE-2025-7641, but it's crucial to apply the fix promptly.
Check the official Assistant for NextGEN Gallery website and WordPress plugin repository for updates and security advisories related to CVE-2025-7641.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.