Imagely NextGEN Gallery
Moderate fix1 remedy
cpe:2.3:a:imagely:nextgen_gallery:*:*:*:*:wordpress:*:*
Moderate fix1 remedy
- <= 4.0.4
NextGEN Gallery Local File Inclusion Vulnerability
Vulnerability
Patched
A local file inclusion vulnerability has been identified in the Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery plugin for WordPress, affecting all versions through 4.0.3. The vulnerability arises from the 'template' parameter in gallery shortcodes, allowing authenticated attackers with Author-level access and above to include and execute arbitrary PHP files on the server. This exploitation could bypass access controls, access sensitive data, or execute code in cases where PHP files can be uploaded and included.
Impact
Exploitation of this vulnerability could lead to unauthorized file inclusion, allowing attackers to execute arbitrary PHP code on the server.
Reproduction
To reproduce this vulnerability, an authenticated user with Author-level access or higher can create a gallery shortcode that includes a 'template' parameter. The parameter can be manipulated to include arbitrary PHP files from the server, exploiting the local file inclusion vulnerability.
Remediation
Users are advised to update the NextGEN Gallery plugin to version 4.0.5 or later.
Added: Mar 18, 2026, 5:33 PM
Updated: Mar 18, 2026, 5:33 PM
Vulnerability Rating
Custom Algorithm
spread
1.0impact
10.0exploitability
6.4remediation
7.7relevance
4.1threat
4.8urgency
2.9incentive
0.0Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.