Does NextGEN Download Gallery have any unpatched vulnerabilities?

Yes — NextGEN Download Gallery currently has 1 unpatched vulnerability. We recommend switching to an alternative or applying any available workarounds.

Is NextGEN Download Gallery compatible with WordPress 6.5.8?

According to WordPress.org data, NextGEN Download Gallery 1.6.2 has been tested up to WordPress 6.5.8. Check the plugin's changelog for the latest compatibility information.

Is NextGEN Download Gallery compatible with PHP 5.6+?

NextGEN Download Gallery requires PHP 5.6 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is NextGEN Download Gallery updated?

NextGEN Download Gallery was last updated on Mar 17, 2024. Frequent updates are generally a positive security signal.

What is NextGEN Download Gallery's security score?

NextGEN Download Gallery has a WP-Safety security score of 63/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

NextGEN Download Gallery Security & Risk Analysis

wordpress.org/plugins/nextgen-download-gallery

Add a template to NextGEN Gallery that provides multiple-file downloads for trade/media galleries

2K active installs v1.6.2 PHP 5.6+ WP 4.0+ Updated Mar 17, 2024

downloadgallerynextgen

C · Use Caution

CVEs total1

Unpatched1

Last CVEJan 8, 2026

Plugin page Download

Safety Verdict

Is NextGEN Download Gallery Safe to Use in 2026?

Use With Caution

Score 63/100

NextGEN Download Gallery has 1 unpatched vulnerability. Evaluate alternatives or apply available mitigations.

1 known CVE 1 unpatched Last CVE: Jan 8, 2026Updated 2yr ago

Risk Assessment

The plugin "nextgen-download-gallery" v1.6.2 exhibits a mixed security posture. While it demonstrates good practices such as 100% use of prepared statements for SQL queries and a significant percentage of properly escaped output, several critical security concerns are present. The analysis reveals a notable attack surface with two AJAX handlers, both lacking authentication checks, which could allow unauthorized users to trigger potentially sensitive actions. Furthermore, the absence of nonce checks on these AJAX endpoints exacerbates the risk, making cross-site request forgery (CSRF) attacks feasible. The vulnerability history is particularly concerning, with one known medium-severity CVE for Exposure of Sensitive Information to an Unauthorized Actor that remains unpatched. This historical pattern of sensitive information exposure, coupled with the current lack of authentication on AJAX endpoints, suggests a recurring theme of inadequate protection of sensitive data and functionality within the plugin.

Key Concerns

Unpatched CVE: Medium severity
Unprotected AJAX handlers
Missing nonce checks on AJAX
Inconsistent output escaping

Vulnerabilities

NextGEN Download Gallery Security Vulnerabilities

CVEs by Year

1 CVE in 2026 · unpatched

2026

Patched Has unpatched

Severity Breakdown

Medium

1 total CVE

CVE-2026-0675medium · 5.3Exposure of Sensitive Information to an Unauthorized Actor

NextGEN Download Gallery <= 1.6.2 - Unauthenticated Information Exposure

Jan 8, 2026Unpatched

Code Analysis

Analyzed Mar 16, 2026

NextGEN Download Gallery Code Analysis

Dangerous Functions

Raw SQL Queries

0 prepared

Unescaped Output

27 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Output Escaping

63% escaped43 total outputs

Attack Surface

2 unprotected

NextGEN Download Gallery Attack Surface

Entry Points3

Unprotected2

AJAX Handlers 2

authwp_ajax_ngg-download-gallery-zipincludes\class.NextGENDownloadGallery.php:45

noprivwp_ajax_ngg-download-gallery-zipincludes\class.NextGENDownloadGallery.php:46

Shortcodes 1

[nggtags_ext] includes\class.NextGENDownloadGallery.php:42

WordPress Hooks 14

actionplugins_loadedincludes\bootstrap.php:10

actioninitincludes\class.NextGENDownloadGallery.php:34

actionwp_enqueue_scriptsincludes\class.NextGENDownloadGallery.php:35

actionadmin_initincludes\class.NextGENDownloadGallery.php:37

actionadmin_menuincludes\class.NextGENDownloadGallery.php:38

filterplugin_row_metaincludes\class.NextGENDownloadGallery.php:39

actionadmin_post_ngg-download-gallery-zipincludes\class.NextGENDownloadGallery.php:51

actionadmin_post_nopriv_ngg-download-gallery-zipincludes\class.NextGENDownloadGallery.php:52

filterngg_render_templateincludes\class.NextGENDownloadGallery.php:55

filterquery_varsincludes\class.NextGENDownloadGallery.php:59

filterngg_gallery_objectincludes\class.NextGENDownloadGallery.php:62

filterngg_legacy_template_directoriesincludes\class.NextGENDownloadGallery.php:65

filterngg_gallery_objectincludes\class.NextGENDownloadGallery.php:140

actionadmin_noticesnextgen-download-gallery.php:51

Maintenance & Trust

NextGEN Download Gallery Maintenance & Trust

Maintenance Signals

WordPress version tested6.5.8

Last updatedMar 17, 2024

PHP min version5.6

Downloads103K

Community Trust

Rating100/100

Number of ratings11

Active installs2K

Alternatives

NextGEN Download Gallery Alternatives

NextGEN Gallery Optimizer

nextgen-gallery-optimizer

The essential add-on for the NextGEN Gallery WordPress plugin.

2K No CVEs

NextGEN Custom Fields

nextgen-gallery-custom-fields

Creates the ability to quickly and easily add custom fields to NextGEN Galleries and Images.

1K No CVEs

NextGEN Scroll Gallery

nextgen-scrollgallery

Awesome free JavaScript gallery. BMo-Design's Mootools Javascript ScrollGallery as a Plugin for the Wordpress NextGEN Gallery.

1K No CVEs

Advanced Custom Fields: NextGEN Gallery Field add-on

advanced-custom-fields-nextgen-gallery-field-add-on

Adds a NextGEN Gallery Field to Advanced Custom Fields. Select one or more NextGEN Galleries and assign them to the post.

500 No CVEs

Import to Photo Gallery from NextGen gallery

import-to-photo-gallery-from-nextgen-gallery

Import to Photo Gallery from NextGen gallery is an easy setup addon for importing photos and related data from NextGen Gallery to Photo Gallery.

500 No CVEs

Developer Profile

NextGEN Download Gallery Developer Profile

webaware

13 plugins · 153K total installs

trust score

Avg Security Score

97/100

Avg Patch Time

1595 days

View full developer profile

Detection Fingerprints

How We Detect NextGEN Download Gallery

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/nextgen-download-gallery/static/css/style.css/wp-content/plugins/nextgen-download-gallery/static/js/download-form.js

Script Paths

static/js/download-form.js

Version Parameters

nextgen-download-gallery/static/css/style.css?ver=nextgen-download-gallery/static/js/download-form.js?ver=

HTML / DOM Fingerprints

CSS Classes

ngg-download-gallery-gallery

Data Attributes

data-ngg-download-gallery

JS Globals

ngg_dlgallery

Shortcode Output

[nggtags_ext]

FAQ