Plugin icon

Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery

nextgen-gallery

Vulnerabilities:

39

Last Updated:

January 21, 2026

Active Installs:

400000

Published
Title
Fixed in
CVSS
Published
2025-12-17
Title
NextGEN Gallery < 4.0.0 - Contributor+ Local File Inclusion via 'template'
Fixed in
Fixed in 4.0.0
CVSS
6.6 (medium)
Published
2025-07-03
Title
Multiple Plugins <= (Various Versions) - Authenticated (Contributor+) Stored DOM-Based Cross-Site Scripting via ThickBox JavaScript Library
Fixed in
Fixed in 3.59.12
CVSS
6.4 (medium)
Published
2025-05-19
Title
Multiple Plugins <= (Various Versions) - Authenticated (Contributor+) Stored DOM-Based Cross-Site Scripting via SimpleLightbox JavaScript Library
Fixed in
Fixed in 3.59.5
CVSS
6.4 (medium)
Published
2025-02-04
Title
NextGEN Gallery < 3.59.9 - Admin+ Stored XSS
Fixed in
Fixed in 3.59.9
CVSS
3.5 (low)
Published
2024-12-03
Title
Multiple Plugins - Contributor+ DOM-Based Stored XSS via FancyBox JavaScript Library
Fixed in
Fixed in 3.59.5
CVSS
5.9 (medium)
Published
2024-11-04
Title
NextGEN Gallery < 3.59.5 - Admin+ Stored XSS
Fixed in
Fixed in 3.59.5
CVSS
3.5 (low)
Published
2024-07-22
Title
NextGEN Gallery < 3.59.4 - Authenticated (Administrator+) Stored Cross-Site Scripting
Fixed in
Fixed in 3.59.4
CVSS
4.4 (medium)
Published
2024-06-22
Title
NextGEN Gallery < 3.59.3 - Admin+ Stored XSS
Fixed in
Fixed in 3.59.3
CVSS
3.5 (low)
Published
2024-04-26
Title
Nextgen Gallery < 3.59.1 - Admin+ Stored XSS
Fixed in
Fixed in 3.59.1
CVSS
3.5 (low)
Published
2024-04-05
Title
WordPress Gallery Plugin – NextGEN Gallery < 3.59.1 - Missing Authorization to Unauthenticated Information Disclosure
Fixed in
Fixed in 3.59.1
CVSS
5.3 (medium)
Published
2023-09-25
Title
NextGEN Gallery < 3.39 - Admin+ Arbitrary File Read and Delete
Fixed in
Fixed in 3.39
CVSS
6.6 (medium)
Published
2023-09-25
Title
NextGEN Gallery < 3.39 - Admin+ PHAR Deserialization
Fixed in
Fixed in 3.39
CVSS
8.0 (high)
Published
2023-09-25
Title
NextGEN Gallery < 3.39 - Admin+ Local File Inclusion
Fixed in
Fixed in 3.39
CVSS
6.8 (medium)
Published
2023-07-18
Title
Freemius SDK < 2.5.10 - Reflected Cross-Site Scripting
Fixed in
Fixed in 3.3.10
CVSS
6.1 (medium)
Published
2023-02-14
Title
NextGEN Gallery < 3.29 - Thumbnail Deletion via CSRF
Fixed in
Fixed in 3.29
CVSS
4.3 (medium)
Published
2021-02-08
Title
NextGen Gallery < 3.5.0 - CSRF allows File Upload, Stored XSS, and RCE
Fixed in
Fixed in 3.5.0
CVSS
9.6 (critical)
Published
2021-02-08
Title
NextGen Gallery < 3.5.0 - CSRF allows File Upload
Fixed in
Fixed in 3.5.0
CVSS
8.8 (high)
Published
2019-08-27
Title
Nextgen Gallery < 3.2.11 - SQL Injection
Fixed in
Fixed in 3.2.11
CVSS
9.8 (critical)
Published
2019-02-26
Title
Freemius Library < 2.2.4 - Subscriber+ Arbitrary Option Update
Fixed in
Fixed in 3.1.7
CVSS
9.9 (critical)
Published
2019-02-05
Title
NextGen Gallery <= 3.1.5 - Authenticated PHP Object Injection
Fixed in
Fixed in 3.1.6
CVSS
8.0 (high)
Published
2018-03-02
Title
NextGEN Gallery < 2.2.50 - Galley Paths Not Secured
Fixed in
Fixed in 2.2.50
CVSS
7.5 (high)
Published
2018-02-14
Title
NextGEN Gallery <= 2.2.44 - Cross-Site Scripting (XSS)
Fixed in
Fixed in 2.2.45
CVSS
4.8 (medium)
Published
2017-02-27
Title
NextGEN Gallery < 2.1.79 - Unauthenticated SQL Injection
Fixed in
Fixed in 2.1.79
CVSS
8.4 (high)
Published
2016-11-15
Title
NextGEN Gallery <= 2.1.56 - Authenticated Local File Inclusion (LFI) & SQLi
Fixed in
Fixed in 2.1.57
CVSS
9.8 (critical)
Published
2015-12-23
Title
NextGEN Gallery < 2.1.15 - Unrestricted File Upload
Fixed in
Fixed in 2.1.15
CVSS
8.8 (high)
Published
2015-10-27
Title
NextGEN Gallery < 2.1.10 - Multiple XSS
Fixed in
Fixed in 2.1.10
CVSS
5.4 (medium)
Published
2015-08-28
Title
NextGEN Gallery < 2.1.9 - Authenticated Path Traversal
Fixed in
Fixed in 2.1.9
CVSS
6.8 (medium)
Published
2015-08-28
Title
NextGen Gallery < 2.1.15 - Path Traversal
Fixed in
Fixed in 2.1.15
CVSS
6.5 (medium)
Published
2015-03-25
Title
NextGEN Gallery < 2.0.77.3 - CSRF & Arbitrary File Upload
Fixed in
Fixed in 2.0.77.3
CVSS
8.2 (high)
Published
2015-02-08
Title
NextGEN Gallery 1.9.11 - Full Path Disclosure
Fixed in
Fixed in 2.0.0
CVSS
7.5 (high)
Published
2015-02-08
Title
NextGEN Gallery 1.9.5 - gallerypath Parameter Stored XSS
Fixed in
Fixed in 2.0.0
CVSS
n/a
Published
2014-08-01
Title
NextGEN Gallery <= 1.7.3 - xml/ajax.php Path Disclosure
Fixed in
Fixed in 1.7.4
CVSS
n/a
Published
2014-08-01
Title
NextGEN Gallery <= 1.9.0 - Multiple Cross-Site Scripting (XSS)
Fixed in
Fixed in 1.9.1
CVSS
n/a
Published
2014-08-01
Title
NextGEN Gallery 2.0.0 - Directory Traversal
Fixed in
Fixed in 2.0.7
CVSS
n/a
Published
2014-08-01
Title
NextGEN Gallery 1.9.12 - Arbitrary File Upload
Fixed in
Fixed in 1.9.13
CVSS
9.8 (critical)
Published
2014-08-01
Title
NextGEN Gallery <= 1.8.3 - XXS & CSRF
Fixed in
Fixed in 1.8.4
CVSS
n/a
Published
2014-08-01
Title
NextGEN Gallery - swfupload.swf Cross-Site Scripting (XSS)
Fixed in
Fixed in 1.9.8
CVSS
n/a
Published
2014-08-01
Title
NextGEN Gallery <= 1.5.1 - Cross-Site Scripting (XSS)
Fixed in
Fixed in 1.5.2
CVSS
n/a
Published
2014-05-20
Title
NextGEN Gallery < 2.0.66 - Arbitrary File Upload
Fixed in
Fixed in 2.0.66
CVSS
n/a