CVE-2026-1463:
Local File Inclusion vulnerability in NextGEN Gallery WordPress plugin allows authenticated attackers to execute arbitrary PHP code.
Score
A numerical rating that indicates how dangerous this vulnerability is.
8.8High- Published Date:Mar 18, 2026
- CISA KEV Date:*No Data*
- Industries Affected:20
Exploitability
- Score:2.8
- Attack Vector:NETWORK
- Attack Complexity:LOW
- Privileges Required:LOW
- User Interaction:NONE
- Scope:UNCHANGED
Impact
- Score:5.9
- Confidentiality Impact:HIGH
- Integrity Impact:HIGH
- Availability Impact:HIGH
Description Preview
Local File Inclusion vulnerability in NextGEN Gallery WordPress plugin allows authenticated attackers to execute arbitrary PHP code.
Overview
The vulnerability affects the NextGEN Gallery WordPress plugin, a popular tool for managing and displaying image galleries. The issue stems from improper input validation in the 'template' parameter of gallery shortcodes. Authenticated users with Author-level privileges or higher can exploit this vulnerability to include and execute arbitrary PHP files on the server. This can potentially lead to unauthorized access to sensitive information, manipulation of server-side data, or even full server compromise if the attacker can upload and include malicious PHP files. The vulnerability has been assigned a CVSS v3.1 base score of 8.8, indicating a high severity level. The attack vector is network-based, requires low attack complexity, and does not need user interaction, making it relatively easy to exploit for authenticated users.
Remediation
- To mitigate this vulnerability, website administrators should take the following actions:
- 1. Update the NextGEN Gallery plugin to the latest version immediately. The vulnerability has been fixed in versions after 4.0.3.
- 2. Implement the principle of least privilege by reviewing and restricting user roles and permissions, especially for content creation and management.
- 3. Regularly audit and monitor file inclusion activities and PHP file executions on the server.
- 4. Implement strong input validation and sanitization for all user-supplied data, especially in shortcode parameters.
- 5. Consider using Web Application Firewalls (WAF) or security plugins that can detect and prevent Local File Inclusion attempts.
- 6. Regularly backup your WordPress installation and keep all plugins, themes, and core WordPress files up to date.
- 7. If unable to update immediately, consider temporarily disabling the NextGEN Gallery plugin until an update can be applied.
References
- [1] WordPress.org. "NextGEN Gallery Plugin Source Code (Version 4.0.3)." plugins.trac.wordpress.org. https://plugins.trac.wordpress.org/browser/nextgen-gallery/tags/4.0.3/src/DisplayType/Controller.php#L369
- [2] WordPress.org. "NextGEN Gallery Plugin LegacyTemplateLocator Source Code (Version 4.0.3)." plugins.trac.wordpress.org. https://plugins.trac.wordpress.org/browser/nextgen-gallery/tags/4.0.3/src/DisplayType/LegacyTemplateLocator.php#L140
- [3] WordPress.org. "NextGEN Gallery Plugin Changeset 3460327." plugins.trac.wordpress.org. https://plugins.trac.wordpress.org/changeset/3460327/nextgen-gallery/trunk/src/DisplayType/LegacyTemplateLocator.php?old=3423202&old_path=nextgen-gallery%2Ftrunk%2Fsrc%2FDisplayType%2FLegacyTemplateLocator.php
- [4] Wordfence. "NextGEN Gallery - Local File Inclusion." wordfence.com. https://www.wordfence.com/threat-intel/vulnerabilities/id/2d7bc556-cdaf-42a7-8801-ad2e4945a137?source=cve
Industries Affected
Below is a list of industries most commonly impacted or potentially at risk based on intelligence.
