CVE-2025-49451 HIGH

CVE-2025-49451: WordPress Aeroscroll Gallery – Infinite Scroll Image Gallery & Post Grid with Photo Gallery plugin <= 1.0.13 - Directory Traversal Vulnerability

Vendor Yannisraft
Product Aeroscroll Gallery – Infinite Scroll Image Gallery & Post Grid with Photo Gallery
Weakness CWE-35
Published June 17, 2025
Last update April 28, 2026
View on NVD All CVEs

CVSS base score

7.5/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality High
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

What the vulnerability does

01Description

Path Traversal: '.../...//' vulnerability in yannisraft Aeroscroll Gallery – Infinite Scroll Image Gallery & Post Grid with Photo Gallery aeroscroll-gallery allows Path Traversal.This issue affects Aeroscroll Gallery – Infinite Scroll Image Gallery & Post Grid with Photo Gallery: from n/a through <= 1.0.13.

Explanation of Vulnerability in Simple Terms

02Summary

Aeroscroll Gallery versions up to 1.0.13 contain a vulnerability that allows unauthenticated attackers to read sensitive information over the network without user interaction. The vulnerability stems from improper access controls that expose confidential data. Site administrators should update to a version newer than 1.0.13 to remediate this issue.

What an attacker can do

03Attacker Capabilities

Read sensitive information from the site without authentication or user interaction.

Potential impact on your site

04Site Impact

Confidential data may be exposed to anyone on the internet who discovers the vulnerable endpoint.

Conditions required to exploit

05Prerequisites

Network access only; no authentication or user action required.

Key dates

06Disclosure timeline

June 17, 2025 CVE published
April 28, 2026 Record updated