NextGEN Gallery < 4.0.0 – Contributor+ Local File Inclusion via 'template' | CVE 2025-13641 | Plugin Vulnerabilities

Description

The plugin is vulnerable to Local File Inclusion via the 'template' shortcode parameter. This is due to insufficient path validation that allows absolute paths to be provided. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary PHP files on the server, bypassing web server restrictions like .htaccess. Successful exploitation could lead to information disclosure, code execution in the WordPress context, and potential remote code execution if combined with arbitrary file upload capabilities.

Affects Plugins

nextgen-gallery

Fixed in 4.0.0

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/0a01e1c9-67f4-4cc1-b58b-9cc141889d66

Classification

Type

LFI

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

Athiwat Tiprasaharn (Jitlada)

Verified

No

WPVDB ID

ea881560-378a-408e-a1af-e7a0d78f96a6

Timeline

Publicly Published

2025-12-17 (about 4 months ago)

Added

2025-12-18 (about 4 months ago)

Last Updated

2025-12-18 (about 4 months ago)

Other

Published

Title

Published

2025-02-28

Title

Database Backup and check Tables Automated With Scheduler 2024 < 2.37 - Authenticated (Administrator+) Arbitrary File Deletion

Published

2025-10-24

Title

Creta Testimonial Showcase < 1.2.4 - Editor+ Local File Inclusion

Published

2014-08-01

Title

BookX 1.7 - includes/bookx_export.php file Parameter Remote Path Traversal File Access

Published

2014-08-01

Title

WP Custom Pages 0.5.0.1 - LFI

Published

2025-08-14

Title

Barcode Scanner with Inventory & Order Manager < 1.9.1 - Authenticated (Admin+) Arbitrary File Download