CVE-2026-1463
Local File Inclusion in NextGEN Gallery Plugin Enables Code Execution
Publication date: 2026-03-18
Last updated on: 2026-03-18
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| photocrati | nextgen_gallery | to 4.0.3 (inc) |
| imagely | nextgen_gallery | to 4.0.3 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-98 | The PHP application receives input from an upstream component, but it does not restrict or incorrectly restricts the input before its usage in "require," "include," or similar functions. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The NextGEN Gallery plugin for WordPress, up to version 4.0.3, has a Local File Inclusion (LFI) vulnerability via the 'template' parameter in gallery shortcodes.
This vulnerability allows authenticated users with Author-level access or higher to include and execute arbitrary PHP files on the server.
Attackers can exploit this by uploading or referencing malicious PHP files, which the plugin then executes, potentially bypassing access controls and exposing sensitive data or enabling full code execution.
How can this vulnerability impact me? :
This vulnerability can have severe impacts including:
- Bypassing access controls, allowing attackers to perform actions beyond their intended permissions.
- Execution of arbitrary PHP code on the server, which can lead to full compromise of the web server.
- Exposure or theft of sensitive data stored on the server.
- Potential defacement, data loss, or use of the server as a launchpad for further attacks.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': "This vulnerability involves Local File Inclusion (LFI) via the 'template' parameter in gallery shortcodes of the NextGEN Gallery WordPress plugin, exploitable by authenticated users with Author-level access or higher."}, {'type': 'paragraph', 'content': "Detection can focus on monitoring for suspicious shortcode usage or HTTP requests that include unusual or directory traversal patterns in the 'template' parameter."}, {'type': 'list_item', 'content': "Inspect WordPress shortcode usage logs or database entries for gallery shortcodes containing the 'template' parameter with suspicious values such as '../' or attempts to include arbitrary PHP files."}, {'type': 'list_item', 'content': "Use web server access logs to search for HTTP POST or GET requests to WordPress endpoints containing the 'template' parameter with directory traversal patterns or unexpected filenames."}, {'type': 'list_item', 'content': "Example command to search web server logs for suspicious 'template' parameter usage (assuming Apache logs):"}, {'type': 'list_item', 'content': "grep -i 'template=.*\\.php' /var/log/apache2/access.log | grep -E '\\.\\./|\\.\\.\\\\'"}, {'type': 'list_item', 'content': 'Additionally, monitor for authenticated user activity (Author-level and above) that includes shortcode edits or uploads of PHP files.'}, {'type': 'paragraph', 'content': 'Note that the plugin code changes (Resource 1 and 4) include filtering and validation to prevent directory traversal and enforce template filename restrictions, so detection should focus on attempts before patching or on unpatched systems.'}] [1, 4]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'To mitigate this Local File Inclusion vulnerability in the NextGEN Gallery plugin, immediate steps include:'}, {'type': 'list_item', 'content': "Update the NextGEN Gallery plugin to version 4.0.4 or later, where the vulnerability is fixed by enforcing strict validation and directory traversal prevention on the 'template' parameter."}, {'type': 'list_item', 'content': 'If immediate update is not possible, restrict Author-level and higher user permissions to trusted users only, as exploitation requires authenticated access.'}, {'type': 'list_item', 'content': "Disable or restrict the use of gallery shortcodes that include the 'template' parameter until the plugin is updated."}, {'type': 'list_item', 'content': 'Review and remove any suspicious or unauthorized PHP files uploaded to the server that could be included via this vulnerability.'}, {'type': 'list_item', 'content': "Implement web application firewall (WAF) rules to block requests containing directory traversal patterns in the 'template' parameter."}, {'type': 'paragraph', 'content': "The plugin's updated code (Resources 1 and 4) now normalizes directory separators, blocks directory traversal patterns, and restricts template loading to predefined directories, effectively mitigating the vulnerability."}] [1, 4]