Skip to main content
CVE Vulnerability Database

CVE-2025-7641: WordPress NextGEN Path Traversal Flaw

CVE-2025-7641 is a path traversal vulnerability in Assistant for NextGEN Gallery plugin for WordPress that enables unauthenticated attackers to delete arbitrary directories. This article covers technical details, affected versions, and mitigation.

Updated:

CVE-2025-7641 Overview

CVE-2025-7641 is a path traversal vulnerability in the Assistant for NextGEN Gallery plugin for WordPress. The flaw resides in the /wp-json/nextgenassistant/v1.0.0/control REST API endpoint and affects all versions up to and including 1.0.9. Insufficient file path validation allows unauthenticated attackers to send crafted requests that delete arbitrary directories on the underlying server. Successful exploitation results in complete loss of availability for the affected WordPress installation, including potential removal of core WordPress directories. The vulnerability is classified under [CWE-22] Improper Limitation of a Pathname to a Restricted Directory.

Critical Impact

Unauthenticated remote attackers can delete arbitrary directories on the server through a vulnerable REST endpoint, causing complete loss of WordPress site availability.

Affected Products

  • Assistant for NextGEN Gallery WordPress plugin, all versions through 1.0.9
  • WordPress sites exposing the /wp-json/nextgenassistant/v1.0.0/control REST endpoint
  • Web servers hosting WordPress installations with the vulnerable plugin active

Discovery Timeline

  • 2025-08-15 - CVE-2025-7641 published to NVD
  • 2026-04-15 - Last updated in NVD database

Technical Details for CVE-2025-7641

Vulnerability Analysis

The vulnerability exists in the REST API controller registered at /wp-json/nextgenassistant/v1.0.0/control within the Assistant for NextGEN Gallery plugin. The endpoint accepts a file path parameter and performs directory deletion operations without validating or sanitizing the supplied input. Attackers can submit path traversal sequences such as ../ to escape the plugin's intended working directory.

The REST route lacks authentication and authorization checks, allowing any unauthenticated client to invoke the deletion action. When combined with the missing path validation, this produces a pre-auth arbitrary directory deletion primitive. Deleting directories such as wp-content, wp-includes, or wp-admin renders the site inoperative and may destroy uploaded media, plugin files, and configuration data.

Root Cause

The root cause is improper input validation on a privileged file system operation exposed over the WordPress REST API. The control endpoint accepts attacker-controlled path data and passes it to a directory removal function without canonicalizing the path, restricting it to an allow-listed base directory, or verifying a capability check. The endpoint registration also omits a permission_callback that enforces authentication, making the operation reachable by anonymous network clients.

Attack Vector

An attacker reaches the WordPress site over the network and issues an HTTP request to the /wp-json/nextgenassistant/v1.0.0/control endpoint. The request body or query parameters include a relative path containing traversal sequences pointing to a target directory outside the plugin scope. The plugin processes the request and recursively removes the directory specified by the attacker. No credentials, user interaction, or prior site access are required. Refer to the Wordfence Vulnerability Report and the WordPress Plugin Source Code for the vulnerable handler.

Detection Methods for CVE-2025-7641

Indicators of Compromise

  • HTTP requests to /wp-json/nextgenassistant/v1.0.0/control originating from unauthenticated sources or unexpected IP addresses.
  • Request payloads containing path traversal sequences such as ../, encoded variants like %2e%2e%2f, or absolute paths referencing WordPress core directories.
  • Sudden disappearance of directories under wp-content/, wp-includes/, or wp-admin/ accompanied by HTTP 5xx errors.
  • Web server or PHP error logs showing unlink, rmdir, or rmdir_recursive operations triggered by the plugin around the time of the request.

Detection Strategies

  • Inspect WordPress access logs for POST or DELETE requests to the nextgenassistant REST namespace and alert on payloads containing traversal patterns.
  • Deploy a Web Application Firewall (WAF) rule that blocks requests to the vulnerable endpoint when the body or parameters contain .., null bytes, or absolute path prefixes.
  • Monitor file system audit logs for unexpected directory removal events under the WordPress document root performed by the PHP-FPM or web server user.

Monitoring Recommendations

  • Forward WordPress, PHP-FPM, and web server logs to a centralized analytics platform and create detections for the nextgenassistant/v1.0.0/control route.
  • Enable file integrity monitoring on WordPress core, plugin, and upload directories to detect mass deletion events.
  • Alert on HTTP 5xx error spikes from WordPress endpoints, which often follow successful exploitation that destroys site assets.

How to Mitigate CVE-2025-7641

Immediate Actions Required

  • Deactivate and remove the Assistant for NextGEN Gallery plugin until a fixed version is installed, since all versions through 1.0.9 are vulnerable.
  • Block external access to the /wp-json/nextgenassistant/v1.0.0/control REST route at the WAF or reverse proxy layer.
  • Audit the WordPress installation for missing directories and restore from a known-good backup if deletions are detected.
  • Rotate any credentials or secrets that may have been stored in deleted configuration files and re-verify site integrity.

Patch Information

No fixed version is referenced in the NVD record at the time of publication. Review the WordPress Plugin Overview for updates and install any release later than 1.0.9 once published. Verify the patch by confirming that the control REST route enforces a permission_callback requiring administrator capabilities and that supplied paths are canonicalized and constrained to the plugin's working directory.

Workarounds

  • Remove the plugin directory from wp-content/plugins/ if an immediate patch is not available.
  • Add a WAF rule that denies any request to /wp-json/nextgenassistant/ containing traversal sequences such as .., %2e%2e, or absolute paths.
  • Restrict access to the /wp-json/ REST API to authenticated administrators via web server configuration for sites that do not require public REST access.
  • Run the WordPress PHP process under a least-privileged user that cannot delete directories outside the site root.
bash
# Example NGINX rule to block exploitation attempts against the vulnerable endpoint
location ~ ^/wp-json/nextgenassistant/ {
    if ($args ~* "\.\.|%2e%2e") { return 403; }
    if ($request_body ~* "\.\.|%2e%2e") { return 403; }
    return 403;
}

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.