CVE-2025-7641: 
WordPress vulnerability analysis and mitigation

CVE-2025-7641 affects the Assistant for NextGEN Gallery plugin for WordPress in versions up to and including 1.0.9. The vulnerability was discovered and disclosed on August 15, 2025. This security issue involves insufficient file path validation in the /wp-json/nextgenassistant/v1.0.0/control REST endpoint (NVD).

The vulnerability is classified as a path traversal issue (CWE-22) that allows for arbitrary directory deletion due to improper validation of file paths. It has received a CVSS v3.1 base score of 7.5 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, indicating network accessibility, low attack complexity, and no required privileges or user interaction (NVD, Wordfence).

The vulnerability can result in complete loss of availability as it allows unauthenticated attackers to delete arbitrary directories on the server. This could potentially lead to significant disruption of the affected WordPress installation (NVD).

The plugin has been temporarily closed as of August 14, 2025, pending a full security review. Users are advised to disable and remove the plugin until a patched version becomes available (WordPress Plugin).