CVE-2025-7641: WordPress NextGEN Gallery Path Traversal

CVE-2025-7641 Overview

CVE-2025-7641 is a path traversal vulnerability in the Assistant for NextGEN Gallery plugin for WordPress. The flaw affects all versions up to and including 1.0.9. The plugin's /wp-json/nextgenassistant/v1.0.0/control REST endpoint fails to validate file path input. Unauthenticated attackers can send crafted requests to delete arbitrary directories on the server. Successful exploitation causes complete loss of availability for the WordPress site and any data hosted on the underlying filesystem.

Critical Impact

Unauthenticated remote attackers can delete arbitrary server directories through an exposed REST endpoint, resulting in site outage and potential destruction of WordPress core, plugin, theme, and content files.

Affected Products

• Assistant for NextGEN Gallery plugin for WordPress (all versions ≤ 1.0.9)
• WordPress installations exposing the /wp-json/nextgenassistant/v1.0.0/control REST endpoint
• Web servers hosting vulnerable plugin instances

Discovery Timeline

• 2025-08-15 - CVE-2025-7641 published to NVD
• 2026-04-15 - Last updated in NVD database

Technical Details for CVE-2025-7641

Vulnerability Analysis

The vulnerability is classified as a Path Traversal weakness [CWE-22]. The Assistant for NextGEN Gallery plugin registers a REST API route at /wp-json/nextgenassistant/v1.0.0/control. This endpoint accepts a file path parameter and performs filesystem operations including directory deletion. The handler does not normalize input paths, does not restrict operations to a designated plugin directory, and does not enforce authentication or capability checks.

Attackers can submit relative path sequences such as ../ to traverse outside the plugin's expected working directory. The endpoint then invokes directory removal against arbitrary filesystem locations accessible to the web server user. Because the request requires no credentials and no user interaction, exploitation can be fully automated against exposed WordPress instances.

Root Cause

The root cause is insufficient file path validation in the REST endpoint handler referenced at nextgenassistant.php line 163. The plugin trusts client-supplied path data without applying a realpath() check, an allowlist of permitted directories, or a permission_callback on the route registration. Combined with the lack of authentication, this exposes destructive filesystem operations to any unauthenticated network caller.

Attack Vector

Exploitation occurs over the network through a standard HTTP request to the WordPress REST API. An attacker crafts a request to the vulnerable control endpoint with a traversal payload pointing to a target directory such as wp-content, wp-includes, or any path writable by the web server process. The server processes the request without authorization checks and recursively deletes the specified directory, breaking the WordPress installation or destroying business-critical data.

No public exploit code or proof-of-concept has been published, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. See the Wordfence Vulnerability Report and the WordPress Plugin Code Reference for additional technical context.

Detection Methods for CVE-2025-7641

Indicators of Compromise

• HTTP requests to /wp-json/nextgenassistant/v1.0.0/control originating from unauthenticated sources
• Request bodies or parameters containing path traversal sequences such as ../, ..%2f, or absolute paths like /var/www/html
• Unexpected disappearance of WordPress directories including wp-content/uploads, wp-content/plugins, or wp-includes
• Web server error logs reporting missing files or broken plugin/theme references after REST API activity

Detection Strategies

• Monitor WordPress access logs for any request matching the nextgenassistant/v1.0.0/control route, especially with DELETE verbs or path-like parameters
• Deploy Web Application Firewall (WAF) rules that block traversal patterns directed at WordPress REST endpoints
• Run integrity checks comparing the current filesystem against a known-good WordPress installation manifest
• Correlate REST endpoint requests with subsequent filesystem deletion events using host-based audit logging

Monitoring Recommendations

• Enable auditd rules on Linux web hosts to record unlink and rmdir syscalls executed by the web server user
• Forward WordPress and web server logs to a centralized SIEM and alert on traversal signatures hitting /wp-json/ endpoints
• Track plugin inventory across managed WordPress sites and flag any host running Assistant for NextGEN Gallery ≤ 1.0.9
• Alert on backup job failures or sudden drops in indexed content that may indicate destructive activity

How to Mitigate CVE-2025-7641

Immediate Actions Required

• Deactivate and remove the Assistant for NextGEN Gallery plugin until a patched release is verified
• Block external access to /wp-json/nextgenassistant/ routes at the WAF or reverse proxy layer
• Verify recent backups are intact and stored off-host so a site can be restored if deletion has already occurred
• Audit web server and WordPress logs for prior requests to the vulnerable endpoint

Patch Information

At the time of publication, no fixed version above 1.0.9 is documented in the available references. Consult the WordPress Plugin Official Page and the Wordfence Vulnerability Report for updates and apply any vendor-released patch immediately when available.

Workarounds

• Uninstall the plugin entirely if the functionality is non-essential
• Restrict access to the WordPress REST API using authentication requirements or IP allowlisting at the web server
• Enforce least-privilege filesystem permissions so the web server user cannot delete WordPress core directories
• Deploy a WAF rule that returns a 403 response for any request to nextgenassistant/v1.0.0/control containing .., %2e%2e, or absolute path characters

# Example nginx rule to block the vulnerable endpoint until patched
location ~* /wp-json/nextgenassistant/v1\.0\.0/control {
    return 403;
}