CVE-2025-13641
Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery <= 3.59.12 - Authenticated (Contributor+) Local File Inclusion via 'template'
In short
The NextGEN Gallery WordPress plugin allows users with Contributor access or higher to include and run arbitrary PHP files on the server through a poorly validated 'template' parameter, potentially leading to unauthorized code execution.
Technical detail
Authenticated Local File Inclusion vulnerability in NextGEN Gallery <= 3.59.12 exploitable via the 'template' shortcode parameter due to insufficient path validation allowing absolute paths. Attackers with Contributor+ privileges can include arbitrary PHP files, bypassing server restrictions and achieving code execution within the WordPress context; RCE is possible if combined with file upload functionality.
Summary generated and translated by AI from the official description.
The Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 3.59.12 via the 'template' shortcode parameter. This is due to insufficient path validation that allows absolute paths to be provided. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary PHP files on the server, bypassing web server restrictions like .htaccess. Successful exploitation could lead to information disclosure, code execution in the WordPress context, and potential remote code execution if combined with arbitrary file upload capabilities.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Affected products
smub · Photo Gallery, Sliders, Proofing and Themes – NextGEN GalleryWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
https://plugins.trac.wordpress.org/browser/nextgen-gallery/trunk/src/DisplayType/Controller.php#L369https://plugins.trac.wordpress.org/browser/nextgen-gallery/trunk/src/DisplayType/LegacyTemplateLocator.php#L152https://plugins.trac.wordpress.org/changeset/3415575/nextgen-gallery/trunk/src/DisplayType/LegacyTemplateLocator.php?old=3004370&old_path=nextgen-gallery%2Ftrunk%2Fsrc%2FDisplayType%2FLegacyTemplateLocator.phphttps://www.wordfence.com/threat-intel/vulnerabilities/id/0a01e1c9-67f4-4cc1-b58b-9cc141889d66?source=cve