WordPress Image Gallery Modula Path Traversal Vulnerability

A path traversal vulnerability has been identified in the Image Gallery – Photo Grid & Video Gallery plugin for WordPress, affecting all versions through 2.13.3. The vulnerability arises from the modula_list_folders AJAX endpoint, which lacks adequate path validation and base directory restrictions. Although the endpoint checks user capabilities for authors and above with upload_files and edit_posts permissions, it fails to ensure that user-supplied directory paths are within safe directories. This oversight allows authenticated attackers with author-level access or higher to enumerate arbitrary directories on the server via the modula_list_folders endpoint.

Impact

Exploitation of this vulnerability could lead to unauthorized directory enumeration on the server.

Reproduction

To reproduce this vulnerability, an authenticated user with author-level access or higher can send a request to the modula_list_folders AJAX endpoint. The request can include arbitrary directory paths, which the server will process without proper validation, potentially disclosing sensitive information about the server's file structure.

Remediation

Users are advised to update the Image Gallery – Photo Grid & Video Gallery plugin to version 2.13.4 or later.