CVE-2025-13641
Unknown Unknown - Not Provided
Local File Inclusion in NextGEN Gallery Plugin Enables Code Execution

Publication date: 2025-12-18

Last updated on: 2025-12-18

Assigner: Wordfence

Description
The Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 3.59.12 via the 'template' shortcode parameter. This is due to insufficient path validation that allows absolute paths to be provided. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary PHP files on the server, bypassing web server restrictions like .htaccess. Successful exploitation could lead to information disclosure, code execution in the WordPress context, and potential remote code execution if combined with arbitrary file upload capabilities.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-18
Last Modified
2025-12-18
Generated
2026-06-16
AI Q&A
2025-12-18
EPSS Evaluated
2026-06-15
NVD
CVE-2025-13641
EUVD
EUVD-2025-204253
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
imagely nextgen_gallery *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
CWE-98 The PHP application receives input from an upstream component, but it does not restrict or incorrectly restricts the input before its usage in "require," "include," or similar functions.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-13641 is a Local File Inclusion (LFI) vulnerability in the NextGEN Gallery WordPress plugin (versions up to 3.59.12). It arises from insufficient validation of the 'template' shortcode parameter, which previously allowed authenticated users with Contributor-level access or higher to specify absolute file paths for template files. This flaw enabled attackers to include and execute arbitrary PHP files on the server, bypassing web server restrictions like .htaccess. The vulnerability is due to the plugin allowing absolute paths for templates, which could lead to information disclosure and code execution. The fix restricts template loading to specific theme directories and disallows absolute paths, preventing arbitrary file inclusion. [1, 4]

Impact Analysis

If exploited, this vulnerability allows an authenticated attacker with at least Contributor-level access to include and execute arbitrary PHP files on the server running the WordPress site. This can lead to serious impacts including information disclosure, execution of malicious code within the WordPress context, and potentially remote code execution if combined with other vulnerabilities like arbitrary file upload. Such impacts can compromise the integrity, confidentiality, and availability of the affected website and server. [1, 4]

Detection Guidance

To detect this vulnerability, you can monitor WordPress shortcode usage for the 'template' parameter in the NextGEN Gallery plugin, especially looking for attempts to use absolute file paths. Since the vulnerability involves Local File Inclusion via the 'template' shortcode parameter, searching for shortcode usage with absolute paths or suspicious template filenames in logs or database entries may help. Additionally, checking for warnings related to '_doing_it_wrong' in WordPress debug logs can indicate attempts to use deprecated absolute paths. Specific commands are not provided in the resources, but you can use WordPress CLI or database queries to search for shortcode usage patterns, for example: 1. Using WP-CLI to search posts for the shortcode with 'template' parameter: wp db query "SELECT ID, post_content FROM wp_posts WHERE post_content LIKE '%[nggallery template=%'" 2. Searching web server access logs for requests containing suspicious 'template' parameters. 3. Checking WordPress debug logs for '_doing_it_wrong' warnings related to template loading. These approaches help identify exploitation attempts or vulnerable shortcode usage. [1, 4]

Mitigation Strategies

Immediate mitigation steps include: 1. Update the NextGEN Gallery plugin to a version later than 3.59.12 where the vulnerability is fixed. 2. Ensure that no shortcodes use the 'template' parameter with absolute file paths; custom templates should be placed inside the active theme or child theme's 'nggallery' directory and referenced by filename only. 3. Monitor WordPress debug logs for warnings about deprecated absolute path usage to identify and correct insecure shortcode usage. 4. Restrict Contributor-level and higher user permissions to trusted users only, as exploitation requires authenticated access. 5. Consider implementing web application firewall (WAF) rules to detect and block attempts to exploit the 'template' parameter with absolute paths. These steps prevent local file inclusion and potential code execution via the vulnerable shortcode parameter. [1, 4]

Compliance Impact

The vulnerability allows authenticated attackers with Contributor-level access and above to include and execute arbitrary PHP files on the server, potentially leading to information disclosure and remote code execution. Such unauthorized access and data exposure could violate compliance requirements under standards like GDPR and HIPAA, which mandate protection of personal and sensitive data. Therefore, exploitation of this vulnerability could result in non-compliance with these regulations due to potential data breaches and unauthorized system access. [1, 4]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-13641. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart