Does Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery have any unpatched vulnerabilities?

No. All known vulnerabilities in Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery compatible with WordPress 6.9.4?

According to WordPress.org data, Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery 4.1.1 has been tested up to WordPress 6.9.4. Check the plugin's changelog for the latest compatibility information.

Is Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery compatible with PHP 7.0+?

Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery requires PHP 7.0 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery Security & Risk Analysis

wordpress.org/plugins/nextgen-gallery

The most popular gallery plugin that lets you create galleries and albums in seconds.

400K active installs v4.1.1 PHP 7.0+ WP 5.5.4+ Updated Mar 13, 2026

galleryimage-galleryphoto-galleryslideshowwordpress-gallery-plugin

B · Generally Safe

CVEs total37

Unpatched0

Last CVEDec 17, 2025

Plugin page Download

Safety Verdict

Is Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery Safe to Use in 2026?

Mostly Safe

Score 76/100

Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery is generally safe to use. 37 past CVEs were resolved. Keep it updated.

37 known CVEsLast CVE: Dec 17, 2025Updated 20d ago

Risk Assessment

The NextGen Gallery plugin version 4.1.1 presents a mixed security posture. While the static analysis shows a good adherence to secure coding practices, with a high percentage of properly escaped outputs and SQL queries using prepared statements, and no critical or high severity taint flows identified, there are still significant concerns. The presence of two unprotected REST API routes creates potential entry points for unauthorized actions or information disclosure, and the historical vulnerability data is alarming. The plugin has a substantial history of 37 known CVEs, including critical and high severity vulnerabilities across various categories such as remote file inclusion, XSS, path traversal, and SQL injection. Although there are currently no unpatched vulnerabilities, this extensive history suggests a recurring pattern of security weaknesses that require diligent oversight and prompt patching by users. The last reported vulnerability in December 2025 indicates that the development team has addressed past issues, but the sheer volume of historical vulnerabilities warrants caution. Overall, while recent code appears to follow best practices, the plugin's past necessitates a careful approach, especially regarding the unprotected entry points.

Key Concerns

2 unprotected REST API routes
Significant vulnerability history (37 CVEs)
Bundled outdated library: Select2 v4.0.13
Bundled outdated library: TinyMCE v0.1

Vulnerabilities

Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery Security Vulnerabilities

CVEs by Year

1 CVE in 2008

2008

1 CVE in 2010

2010

2 CVEs in 2013

2013

2 CVEs in 2014

2014

7 CVEs in 2015

2015

2 CVEs in 2016

2016

1 CVE in 2017

2017

2 CVEs in 2018

2018

3 CVEs in 2019

2019

2 CVEs in 2020

2020

5 CVEs in 2023

2023

5 CVEs in 2024

2024

4 CVEs in 2025

2025

Patched Has unpatched

Severity Breakdown

Critical

High

Medium

37 total CVEs

CVE-2025-13641high · 8.8Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery <= 3.59.12 - Authenticated (Contributor+) Local File Inclusion via 'template'

Dec 17, 2025 Patched in 4.0.0 (2d)

CVE-2025-2537medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Multiple Plugins <= (Various Versions) - Authenticated (Contributor+) Stored DOM-Based Cross-Site Scripting via ThickBox JavaScript Library

Jul 3, 2025 Patched in 3.59.12 (47d)

CVE-2024-5878medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Multiple Plugins <= (Various Versions) - Authenticated (Contributor+) Stored DOM-Based Cross-Site Scripting via SimpleLightbox JavaScript Library

May 19, 2025 Patched in 3.59.5 (1d)

CVE-2024-10545medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery <= 3.59.8 - Authenticated (Admin+) Stored Cross-Site Scripting

Feb 4, 2025 Patched in 3.59.9 (28d)

CVE-2024-6393medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

NextGEN Gallery <= 3.39.4 - Authenticated (Administrator+) Stored Cross-Site Scripting

Nov 4, 2024 Patched in 3.39.5 (12d)

CVE-2024-39627medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

NextGEN Gallery <= 3.59.3 - Authenticated (Administrator+) Stored Cross-Site Scripting

Jul 22, 2024 Patched in 3.59.4 (11d)

CVE-2024-5442medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery <= 3.59.2 - Authenticated (Admin+) Stored Cross-Site Scripting via Gallery

Jun 22, 2024 Patched in 3.59.3 (49d)

CVE-2024-2744medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Nextgen Gallery <= 3.59 - Authenticated (Administrator+) Stored Cross-Site Scripting

Apr 26, 2024 Patched in 3.59.1 (11d)

CVE-2024-3097medium · 5.3Missing Authorization

WordPress Gallery Plugin – NextGEN Gallery <= 3.59 - Missing Authorization to Unauthenticated Information Disclosure

Apr 5, 2024 Patched in 3.59.1 (4d)

CVE-2023-48328medium · 4.3Cross-Site Request Forgery (CSRF)

NextGEN Gallery <= 3.37 - Cross-Site Request Forgery

Nov 23, 2023 Patched in 3.39 (61d)

CVE-2023-3279medium · 4.9Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

WordPress Gallery Plugin – NextGEN Gallery <= 3.38 - Authenticated (Admin+) Local File Inclusion

Sep 25, 2023 Patched in 3.39 (120d)

CVE-2023-3155medium · 6.5Files or Directories Accessible to External Parties

NextGEN Gallery <= 3.37 - Authenticated (Admininistrator+) Arbitrary File Read and Deletion in gallery_edit

Sep 25, 2023 Patched in 3.39 (120d)

CVE-2023-3154high · 7.2Deserialization of Untrusted Data

WordPress Gallery Plugin – NextGEN Gallery <= 3.38 - Authenticated (Admin+) PHAR Deserialization

Sep 25, 2023 Patched in 3.39 (120d)

CVE-2022-38468medium · 4.3Cross-Site Request Forgery (CSRF)

NextGEN Gallery <= 3.28 - Cross-Site Request Forgery leading to Post Thumbnail Change

Feb 14, 2023 Patched in 3.29 (343d)

CVE-2020-35942high · 8.8Cross-Site Request Forgery (CSRF)

WordPress Gallery Plugin – NextGEN Gallery <= 3.4.7 - Cross-Site Request Forgery

Dec 17, 2020 Patched in 3.5.0 (1132d)

CVE-2020-35943high · 8.8Cross-Site Request Forgery (CSRF)

WordPress Gallery Plugin – NextGEN Gallery <= 3.4.7 - Cross-Site Request Forgery to Arbitrary File Upload

Dec 17, 2020 Patched in 3.5.0 (1132d)

CVE-2019-14314critical · 9.8Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

NextGEN Gallery <= 3.2.10 - SQL Injection

Aug 27, 2019 Patched in 3.2.11 (1610d)

WF-3fda31fa-efc9-44b9-99ba-9e3e23aa2ee0-nextgen-galleryhigh · 8.8Missing Authorization

Freemius SDK <= 2.2.3 - Missing Authorization to Arbitrary Options Update

Feb 25, 2019 Patched in 3.1.7 (1793d)

WF-a67eb1fc-4762-4bdc-b0a0-c043c36659d0-nextgen-galleryhigh · 8.8Deserialization of Untrusted Data

NextGen Gallery <= 3.1.5 - PHP Object Injection

Feb 4, 2019 Patched in 3.1.6 (1814d)

CVE-2018-7586high · 7.5Exposure of Sensitive Information to an Unauthorized Actor

WordPress Gallery Plugin – NextGEN Gallery <= 2.2.46 - Sensitive Information Disclosure

Mar 2, 2018 Patched in 2.2.50 (2153d)

CVE-2018-1000172medium · 4.8Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

NextGEN Gallery <= 2.2.44 - Cross-Site Scripting via image alt and title text

Feb 14, 2018 Patched in 2.2.45 (2169d)

WF-78fedd41-f0ab-4148-a798-88de62f27008-nextgen-galleryhigh · 8.3Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

NextGen Gallery <= 2.1.77 - SQL Injection

Feb 17, 2017 Patched in 2.1.79 (2531d)

CVE-2016-10889critical · 9.8Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

NextGEN Gallery <= 2.1.56 - Authenticated Local File Inclusion & SQL injection

Nov 15, 2016 Patched in 2.1.57 (2625d)

CVE-2016-6565high · 7.5Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

NextGen Gallery <= 2.1.56 - Remote File Inclusion

Nov 15, 2016 Patched in 2.1.57 (2625d)

CVE-2015-9228high · 8.8Unrestricted Upload of File with Dangerous Type

NextGen Gallery <= 2.1.10 - Unrestricted File Upload

Dec 23, 2015 Patched in 2.1.15 (2953d)

CVE-2015-9229medium · 5.5Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WordPress Gallery Plugin – NextGEN Gallery <= 2.1.15 - Authenticated (Admin+) Cross-Site Scripting

Sep 14, 2015 Patched in 2.1.23 (3053d)

CVE-2015-9537medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

NextGen Gallery <= 2.1.9 - Cross-Site Scripting

Aug 31, 2015 Patched in 2.1.10 (3067d)

CVE-2015-9538medium · 6.5Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

NextGen Gallery <= 2.1.10 - Local File Inclusion

Aug 28, 2015 Patched in 2.1.15 (3070d)

WF-50589b41-cc2b-4ffa-ab63-509fb9d61be2-nextgen-gallerymedium · 6.5Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

NextGen Gallery <= 2.1.7 - Path Traversal

Aug 28, 2015 Patched in 2.1.9 (3070d)

CVE-2015-1784high · 8.8Cross-Site Request Forgery (CSRF)

WordPress Gallery Plugin – NextGEN Gallery < 2.0.77.3 - Cross-Site Request Forgery

Mar 25, 2015 Patched in 2.0.77.3 (3226d)

CVE-2015-1785high · 8.8Unrestricted Upload of File with Dangerous Type

WordPress Gallery Plugin – NextGEN Gallery < 2.0.77.3 - Arbitrary File Upload

Mar 25, 2015 Patched in 2.0.77.3 (3226d)

WF-47fb0513-bebe-4e09-9402-d7e174ee92ce-nextgen-galleryhigh · 8.8Unrestricted Upload of File with Dangerous Type

NextGen Gallery <= 2.0.65 - Arbitrary File Upload

May 20, 2014 Patched in 2.0.66 (3535d)

WF-cb855743-1d08-4e21-a23c-a4ffba615f57-nextgen-galleryhigh · 7.5Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

NextGen Gallery <= 2.0 - Path Traversal

Feb 18, 2014 Patched in 2.0.7 (3626d)

CVE-2013-3684critical · 9.8Unrestricted Upload of File with Dangerous Type

WordPress Gallery Plugin – NextGEN Gallery <= 1.9.12 - Arbitrary File Upload

Jun 13, 2013 Patched in 1.9.13 (3876d)

CVE-2013-0291high · 7.5Exposure of Sensitive Information to an Unauthorized Actor

WordPress Gallery Plugin – NextGEN Gallery 1.9.10 - 1.9.11 - Full Path Disclosure

Feb 14, 2013 Patched in 2.0.0 (3995d)

CVE-2010-1186medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WordPress Gallery Plugin – NextGEN Gallery <= 1.5.1 - Cross-Site Scripting

Apr 6, 2010 Patched in 1.5.2 (5040d)

CVE-2008-7175medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

NextGEN Gallery Plugin <= 1.9.0 - Authenticated (Admin+) Stored Cross-Site Scripting

Jun 7, 2008 Patched in 1.9.1 (5844d)

Code Analysis

Analyzed Mar 16, 2026

Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery Code Analysis

Dangerous Functions

Raw SQL Queries

107 prepared

Unescaped Output

158

2781 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Select24.0.13TinyMCE0.1

SQL Query Safety

80% prepared134 total queries

Output Escaping

95% escaped2939 total outputs

Data Flows

4 unsanitized

Data Flow Analysis

17 flows4 with unsanitized paths

<Manager> (src\DataStorage\Manager.php:0)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

2 unprotected

Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery Attack Surface

Entry Points77

Unprotected2

AJAX Handlers 12

authwp_ajax_nextgen_install_am_pluginsrc\Admin\About.php:75

authwp_ajax_nextgen_deactivate_am_pluginsrc\Admin\About.php:76

authwp_ajax_nextgen_activate_am_pluginsrc\Admin\About.php:77

authwp_ajax_nextgen_notification_dismisssrc\Admin\AMNotifications.php:53

authwp_ajax_ngg_hide_admin_menu_tooltipsrc\Admin\MenuNudge.php:45

authwp_ajax_save_onboarding_datasrc\Admin\Onboarding_Wizard.php:61

authwp_ajax_install_recommended_pluginssrc\Admin\Onboarding_Wizard.php:62

authwp_ajax_save_selected_addonssrc\Admin\Onboarding_Wizard.php:63

authwp_ajax_ngg_plugin_verify_license_keysrc\Admin\Onboarding_Wizard.php:65

authwp_ajax_ngg_ajax_operationsrc\Legacy\admin\ajax.php:2

authwp_ajax_createNewThumbsrc\Legacy\admin\ajax.php:100

authwp_ajax_rotateImagesrc\Legacy\admin\ajax.php:153

REST API Routes 65

POST/wp-json/imagely/v1/convert-gallery/singlesrc\REST\ConvertGallery\ConvertGalleryREST.php:36

POST/wp-json/imagely/v1/convert-gallery/bulk-startsrc\REST\ConvertGallery\ConvertGalleryREST.php:85

POST/wp-json/imagely/v1/convert-gallery/bulk-processsrc\REST\ConvertGallery\ConvertGalleryREST.php:103

GET/wp-json/imagely/v1/convert-gallery/post-typessrc\REST\ConvertGallery\ConvertGalleryREST.php:121

GET/wp-json/imagely/v1/addonssrc\REST\DataMappers\AddonsREST.php:39

PUT/wp-json/imagely/v1/addons/(?P<addon_id>[a-z_-]+)/statussrc\REST\DataMappers\AddonsREST.php:50

GET/wp-json/imagely/v1/albumssrc\REST\DataMappers\AlbumREST.php:58

GET/wp-json/imagely/v1/albums/(?P<id>\d+)src\REST\DataMappers\AlbumREST.php:105

POST/wp-json/imagely/v1/albumssrc\REST\DataMappers\AlbumREST.php:124

PUT/wp-json/imagely/v1/albums/(?P<id>\d+)src\REST\DataMappers\AlbumREST.php:176

DELETE/wp-json/imagely/v1/albums/(?P<id>\d+)src\REST\DataMappers\AlbumREST.php:234

GET/wp-json/imagely/v1/display-typessrc\REST\DataMappers\DisplayTypeREST.php:29

GET/wp-json/imagely/v1/display-types/(?P<name>[a-zA-Z0-9-_]+)src\REST\DataMappers\DisplayTypeREST.php:40

PUT/wp-json/imagely/v1/display-types/(?P<name>[a-zA-Z0-9-_]+)src\REST\DataMappers\DisplayTypeREST.php:59

POST/wp-json/imagely/v1/display-types/(?P<name>[a-zA-Z0-9-_]+)/resetsrc\REST\DataMappers\DisplayTypeREST.php:84

GET/wp-json/imagely/v1/galleriessrc\REST\DataMappers\GalleryREST.php:42

GET/wp-json/imagely/v1/galleries/(?P<id>\d+)src\REST\DataMappers\GalleryREST.php:100

POST/wp-json/imagely/v1/galleries/batchsrc\REST\DataMappers\GalleryREST.php:118

POST/wp-json/imagely/v1/galleriessrc\REST\DataMappers\GalleryREST.php:144

PUT/wp-json/imagely/v1/galleries/(?P<id>\d+)src\REST\DataMappers\GalleryREST.php:170

DELETE/wp-json/imagely/v1/galleries/(?P<id>\d+)src\REST\DataMappers\GalleryREST.php:253

POST/wp-json/imagely/v1/galleries/(?P<id>\d+)/scan-foldersrc\REST\DataMappers\GalleryREST.php:271

POST/wp-json/imagely/v1/images/(?P<id>\d+)/crop-thumbnailsrc\REST\DataMappers\ImageOperationsREST.php:47

POST/wp-json/imagely/v1/images/(?P<id>\d+)/rotatesrc\REST\DataMappers\ImageOperationsREST.php:90

POST/wp-json/imagely/v1/images/(?P<id>\d+)/create-thumbnailsrc\REST\DataMappers\ImageOperationsREST.php:113

POST/wp-json/imagely/v1/images/(?P<id>\d+)/resizesrc\REST\DataMappers\ImageOperationsREST.php:148

POST/wp-json/imagely/v1/images/(?P<id>\d+)/set-watermarksrc\REST\DataMappers\ImageOperationsREST.php:166

POST/wp-json/imagely/v1/images/(?P<id>\d+)/recoversrc\REST\DataMappers\ImageOperationsREST.php:184

POST/wp-json/imagely/v1/images/(?P<id>\d+)/import-metadatasrc\REST\DataMappers\ImageOperationsREST.php:202

POST/wp-json/imagely/v1/images/(?P<id>\d+)/strip-orientationsrc\REST\DataMappers\ImageOperationsREST.php:220

POST/wp-json/imagely/v1/images/bulk-resizesrc\REST\DataMappers\ImageOperationsREST.php:238

POST/wp-json/imagely/v1/images/bulk-import-metadatasrc\REST\DataMappers\ImageOperationsREST.php:271

POST/wp-json/imagely/v1/images/bulk-copysrc\REST\DataMappers\ImageOperationsREST.php:292

POST/wp-json/imagely/v1/images/bulk-movesrc\REST\DataMappers\ImageOperationsREST.php:320

POST/wp-json/imagely/v1/images/(?P<id>\d+)/cropsrc\REST\DataMappers\ImageOperationsREST.php:348

POST/wp-json/imagely/v1/images/bulk-add-tagssrc\REST\DataMappers\ImageOperationsREST.php:391

POST/wp-json/imagely/v1/images/bulk-remove-tagssrc\REST\DataMappers\ImageOperationsREST.php:425

GET/wp-json/imagely/v1/imagessrc\REST\DataMappers\ImageREST.php:29

GET/wp-json/imagely/v1/images/(?P<id>\d+)src\REST\DataMappers\ImageREST.php:75

PUT/wp-json/imagely/v1/images/(?P<id>\d+)src\REST\DataMappers\ImageREST.php:93

DELETE/wp-json/imagely/v1/images/(?P<id>\d+)src\REST\DataMappers\ImageREST.php:143

PUT/wp-json/imagely/v1/images/bulksrc\REST\DataMappers\ImageREST.php:161

POST/wp-json/imagely/v1/images/import-media-librarysrc\REST\DataMappers\ImageREST.php:209

POST/wp-json/imagely/v1/images/uploadsrc\REST\DataMappers\ImageREST.php:237

GET/wp-json/imagely/v1/folders/browsesrc\REST\DataMappers\ImageREST.php:260

POST/wp-json/imagely/v1/folders/importsrc\REST\DataMappers\ImageREST.php:278

POST/wp-json/imagely/v1/license/activatesrc\REST\DataMappers\LicenseREST.php:12

GET/wp-json/imagely/v1/notificationssrc\REST\DataMappers\NotificationsREST.php:23

POST/wp-json/imagely/v1/notifications/dismisssrc\REST\DataMappers\NotificationsREST.php:33

GET/wp-json/imagely/v1/plugins/statussrc\REST\DataMappers\PluginManagementREST.php:10

POST/wp-json/imagely/v1/plugins/installsrc\REST\DataMappers\PluginManagementREST.php:20

POST/wp-json/imagely/v1/plugins/activatesrc\REST\DataMappers\PluginManagementREST.php:40

POST/wp-json/imagely/v1/plugins/deactivatesrc\REST\DataMappers\PluginManagementREST.php:56

GET/wp-json/imagely/v1/settingssrc\REST\DataMappers\SettingsREST.php:32

GET/wp-json/imagely/v1/settings/globalsrc\REST\DataMappers\SettingsREST.php:50

POST/wp-json/imagely/v1/settings/watermark-previewsrc\REST\DataMappers\SettingsREST.php:68

POST/wp-json/imagely/v1/settings/resetsrc\REST\DataMappers\SettingsREST.php:89

POST/wp-json/imagely/v1/cache/clearsrc\REST\DataMappers\SettingsREST.php:120

POST/wp-json/imagely/v1/thumbnails/regeneratesrc\REST\DataMappers\SettingsREST.php:131

GET/wp-json/imagely/v1/system-infosrc\REST\DataMappers\SettingsREST.php:142

GET/wp-json/imagely/v1/tagssrc\REST\DataMappers\TagREST.php:23

GET/wp-json/imagely/v1/tags/(?P<identifier>[\w-]+)src\REST\DataMappers\TagREST.php:34

POST/wp-json/imagely/v1/tagssrc\REST\DataMappers\TagREST.php:51

PUT/wp-json/imagely/v1/tags/(?P<identifier>[\w-]+)src\REST\DataMappers\TagREST.php:77

DELETE/wp-json/imagely/v1/tags/(?P<identifier>[\w-]+)src\REST\DataMappers\TagREST.php:106

WordPress Hooks 176

actionadmin_initnggallery.php:867

filterpre_update_option_ngg_optionsnggallery.php:870

filterpre_update_site_option_ngg_optionsnggallery.php:871

filtercron_schedulesnggallery.php:876

actionngg_delete_expired_transientsnggallery.php:877

actionwpnggallery.php:878

actioninitnggallery.php:882

actioninitnggallery.php:883

actionshutdownnggallery.php:886

actionall_admin_noticesnggallery.php:889

actionadmin_initnggallery.php:892

actionall_admin_noticesnggallery.php:893

filterposts_orderbynggallery.php:896

filterinitnggallery.php:897

actionrest_api_initnggallery.php:899

actionwidgets_initnggallery.php:902

actionwp_enqueue_scriptsnggallery.php:911

actionngg_delete_imagenggallery.php:913

filterxmlrpc_methodsnggallery.php:920

actioninitnggallery.php:924

actioninitnggallery.php:953

actioninitnggallery.php:962

filterthe_contentnggallery.php:972

filterngg_allowed_file_typesnggallery.php:1287

filterngg_allowed_mime_typesnggallery.php:1293

actionngg_routesproducts\photocrati_nextgen\modules\ajax\module.ajax.php:41

actioninitproducts\photocrati_nextgen\modules\ajax\module.ajax.php:42

actionpre_get_postsproducts\photocrati_nextgen\modules\datamapper\package.module.datamapper.php:1662

actioninitproducts\photocrati_nextgen\modules\displaytype_admin\module.displaytype_admin.php:69

actionadmin_enqueue_scriptsproducts\photocrati_nextgen\modules\marketing\module.marketing.php:102

actionadmin_enqueue_scriptsproducts\photocrati_nextgen\modules\marketing\module.marketing.php:103

actionin_admin_headerproducts\photocrati_nextgen\modules\marketing\module.marketing.php:105

filteradmin_footer_textproducts\photocrati_nextgen\modules\marketing\module.marketing.php:106

actionin_admin_footerproducts\photocrati_nextgen\modules\marketing\module.marketing.php:107

actionadmin_footerproducts\photocrati_nextgen\modules\marketing\module.marketing.php:108

actionadmin_menuproducts\photocrati_nextgen\modules\marketing\module.marketing.php:109

actionadmin_headproducts\photocrati_nextgen\modules\marketing\module.marketing.php:110

actionadmin_footerproducts\photocrati_nextgen\modules\marketing\module.marketing.php:111

actionngg_manage_albums_marketing_blockproducts\photocrati_nextgen\modules\marketing\module.marketing.php:116

actionngg_manage_galleries_marketing_blockproducts\photocrati_nextgen\modules\marketing\module.marketing.php:125

actionngg_manage_images_marketing_blockproducts\photocrati_nextgen\modules\marketing\module.marketing.php:134

actionngg_sort_images_marketing_blockproducts\photocrati_nextgen\modules\marketing\module.marketing.php:143

actionngg_manage_galleries_above_tableproducts\photocrati_nextgen\modules\marketing\module.marketing.php:152

actionadmin_initproducts\photocrati_nextgen\modules\marketing\module.marketing.php:162

actioninitproducts\photocrati_nextgen\modules\marketing\module.marketing.php:194

actionadmin_initproducts\photocrati_nextgen\modules\nextgen_addgallery_page\module.nextgen_addgallery_page.php:94

actionadmin_initproducts\photocrati_nextgen\modules\nextgen_addgallery_page\module.nextgen_addgallery_page.php:95

actioninitproducts\photocrati_nextgen\modules\nextgen_admin\module.nextgen_admin.php:143

actionelementor/editor/before_enqueue_scriptsproducts\photocrati_nextgen\modules\nextgen_admin\module.nextgen_admin.php:147

filterngg_admin_style_handlesproducts\photocrati_nextgen\modules\nextgen_admin\module.nextgen_admin.php:150

filterngg_admin_script_handlesproducts\photocrati_nextgen\modules\nextgen_admin\module.nextgen_admin.php:151

actionadmin_enqueue_scriptsproducts\photocrati_nextgen\modules\nextgen_admin\module.nextgen_admin.php:152

actionadmin_footer_print_scriptsproducts\photocrati_nextgen\modules\nextgen_admin\module.nextgen_admin.php:153

actionadmin_menuproducts\photocrati_nextgen\modules\nextgen_admin\module.nextgen_admin.php:156

filteradmin_body_classproducts\photocrati_nextgen\modules\nextgen_admin\module.nextgen_admin.php:159

filteradmin_body_classproducts\photocrati_nextgen\modules\nextgen_admin\module.nextgen_admin.php:162

filterscreen_options_show_screenproducts\photocrati_nextgen\modules\nextgen_admin\module.nextgen_admin.php:163

actionall_admin_noticesproducts\photocrati_nextgen\modules\nextgen_admin\module.nextgen_admin.php:164

actionadmin_footerproducts\photocrati_nextgen\modules\nextgen_admin\module.nextgen_admin.php:165

actionafter_setup_themeproducts\photocrati_nextgen\modules\nextgen_admin\module.nextgen_admin.php:168

actionadmin_initproducts\photocrati_nextgen\modules\nextgen_admin\module.nextgen_admin.php:171

actionngg_routesproducts\photocrati_nextgen\modules\nextgen_admin\module.nextgen_admin.php:176

actionadmin_footerproducts\photocrati_nextgen\modules\nextgen_admin\module.nextgen_admin.php:180

actiondo_ngg_noticesproducts\photocrati_nextgen\modules\nextgen_admin\module.nextgen_admin.php:181

actionngg_created_new_galleryproducts\photocrati_nextgen\modules\nextgen_admin\module.nextgen_admin.php:182

actionngg_created_new_galleryproducts\photocrati_nextgen\modules\nextgen_admin\module.nextgen_admin.php:183

actionngg_delete_galleryproducts\photocrati_nextgen\modules\nextgen_admin\module.nextgen_admin.php:184

actionall_admin_noticesproducts\photocrati_nextgen\modules\nextgen_admin\module.nextgen_admin.php:187

filterngg_album_prepared_child_entityproducts\photocrati_nextgen\modules\nextgen_basic_album\package.module.nextgen_basic_album.php:236

actionadmin_bar_menuproducts\photocrati_nextgen\modules\nextgen_other_options\module.nextgen_other_options.php:45

actioninitproducts\photocrati_nextgen\modules\nextgen_other_options\module.nextgen_other_options.php:46

actionadmin_menusrc\Admin\About.php:65

actionadmin_enqueue_scriptssrc\Admin\About.php:68

actionadmin_enqueue_scriptssrc\Admin\About.php:69

actionadmin_print_scriptssrc\Admin\About.php:72

actionnextgen_admin_notifications_updatesrc\Admin\AMNotifications.php:54

actionadmin_menusrc\Admin\App.php:23

actionadmin_menusrc\Admin\App.php:24

actionadmin_menusrc\Admin\App.php:25

actionadmin_headsrc\Admin\App.php:26

actionadmin_footersrc\Admin\App.php:27

actionadmin_headsrc\Admin\App.php:124

actionadmin_enqueue_scriptssrc\Admin\App.php:126

actionadmin_menusrc\Admin\Ecommerce_Preview.php:42

actionadmin_headsrc\Admin\Ecommerce_Preview.php:66

actionadminmenusrc\Admin\MenuNudge.php:42

actionadmin_headsrc\Admin\MenuNudge.php:48

actionadmin_menusrc\Admin\Onboarding_Wizard.php:57

actionadmin_headsrc\Admin\Onboarding_Wizard.php:58

actionadmin_initsrc\Admin\Onboarding_Wizard.php:59

actioninitsrc\Admin\Shortcode_Preview.php:28

actiontemplate_redirectsrc\Admin\Shortcode_Preview.php:29

filtershow_admin_barsrc\Admin\Shortcode_Preview.php:76

filterposts_requestsrc\DataMapper\Manager.php:17

filterposts_fieldssrc\DataMapper\Manager.php:18

filterposts_wheresrc\DataMapper\Manager.php:19

filterposts_groupbysrc\DataMapper\Manager.php:20

actionpre_get_postssrc\DataMapper\WPPostDriver.php:479

filterthe_contentsrc\Display\DisplayManager.php:48

actioninitsrc\Display\DisplayManager.php:50

actionadmin_bar_menusrc\Display\DisplayManager.php:52

actionwp_print_stylessrc\Display\DisplayManager.php:54

actionwp_enqueue_scriptssrc\Display\DisplayManager.php:56

filterscript_loader_tagsrc\Display\DisplayManager.php:346

actionplugins_loadedsrc\Display\I18N.php:39

actioninitsrc\Display\I18N.php:40

actioninitsrc\Display\ResourceManager.php:84

actionwp_footersrc\Display\ResourceManager.php:85

actionwp_print_footer_scriptssrc\Display\ResourceManager.php:239

actionadmin_print_footer_scriptssrc\Display\ResourceManager.php:240

actionshutdownsrc\Display\ResourceManager.php:241

filterngg_get_thumbcodesrc\DisplayTypes\SinglePicture.php:128

filterngg_wprouting_add_post_permalinksrc\DisplayTypes\Taxonomy.php:83

filterwpseo_opengraph_imagesrc\IGW\ATPManager.php:51

filterwpseo_twitter_imagesrc\IGW\ATPManager.php:52

filterwpseo_sitemap_urlimagessrc\IGW\ATPManager.php:53

actionadmin_enqueue_scriptssrc\IGW\ATPManager.php:57

actionelementor/editor/after_enqueue_scriptssrc\IGW\ATPManager.php:61

actionmedia_buttonssrc\IGW\ATPManager.php:63

actionadmin_enqueue_scriptssrc\IGW\ATPManager.php:64

filtermce_buttonssrc\IGW\ATPManager.php:65

filtermce_external_pluginssrc\IGW\ATPManager.php:66

filterwp_mce_translationsrc\IGW\ATPManager.php:67

actionadmin_print_scriptssrc\IGW\ATPManager.php:68

actionadmin_initsrc\IGW\ATPManager.php:69

filterthe_contentsrc\IGW\ATPManager.php:74

actioninitsrc\IGW\BlockManager.php:39

actionenqueue_block_editor_assetssrc\IGW\BlockManager.php:40

actionenqueue_block_editor_assetssrc\IGW\BlockManager.php:41

actionenqueue_block_assetssrc\IGW\BlockManager.php:42

actioninitsrc\IGW\BlockManager.php:46

actionwp_print_scriptssrc\IGW\Controller.php:68

actionwp_print_scriptssrc\IGW\Controller.php:72

actioninitsrc\IGW\EventPublisher.php:34

filterngg_admin_script_handlessrc\IGW\EventPublisher.php:35

actionngg_enqueue_frame_event_publisher_scriptsrc\IGW\EventPublisher.php:36

actionelementor/editor/before_enqueue_scriptssrc\IGW\EventPublisher.php:40

actionngg_created_new_gallerysrc\IGW\EventPublisher.php:44

actionngg_after_new_images_addedsrc\IGW\EventPublisher.php:45

actionngg_page_eventsrc\IGW\EventPublisher.php:46

actionngg_manage_tagssrc\IGW\EventPublisher.php:47

actionadmin_initsrc\Legacy\admin\admin.php:19

actionadmin_menusrc\Legacy\admin\admin.php:22

actionadmin_bar_menusrc\Legacy\admin\admin.php:24

actionnetwork_admin_menusrc\Legacy\admin\admin.php:26

actionadmin_print_scriptssrc\Legacy\admin\admin.php:29

actionadmin_print_stylessrc\Legacy\admin\admin.php:30

filtercurrent_screensrc\Legacy\admin\admin.php:32

actionngg_admin_enqueue_scriptssrc\Legacy\admin\admin.php:34

actionadmin_headsrc\Legacy\admin\admin.php:124

filterngg_manage_images_rowsrc\Legacy\admin\manage.php:191

filterngg_manage_images_column_1_headersrc\Legacy\admin\manage.php:192

filterngg_manage_images_column_1_contentsrc\Legacy\admin\manage.php:193

filterngg_manage_images_column_2_headersrc\Legacy\admin\manage.php:195

filterngg_manage_images_column_2_contentsrc\Legacy\admin\manage.php:196

filterngg_manage_images_column_3_headersrc\Legacy\admin\manage.php:198

filterngg_manage_images_column_3_contentsrc\Legacy\admin\manage.php:199

filterngg_manage_images_column_4_headersrc\Legacy\admin\manage.php:201

filterngg_manage_images_column_4_contentsrc\Legacy\admin\manage.php:202

filterngg_manage_images_column_5_headersrc\Legacy\admin\manage.php:204

filterngg_manage_images_column_5_contentsrc\Legacy\admin\manage.php:205

filterngg_manage_images_column_6_headersrc\Legacy\admin\manage.php:207

filterngg_manage_images_column_6_contentsrc\Legacy\admin\manage.php:208

filterngg_manage_gallery_fieldssrc\Legacy\admin\manage.php:453

filtermedia_upload_tabssrc\Legacy\admin\media-upload.php:3

actionmedia_upload_nextgensrc\Legacy\admin\media-upload.php:4

actionplugins_loadedsrc\Legacy\nggallery.php:51

actionwpmu_new_blogsrc\Legacy\nggallery.php:52

filterplugin_row_metasrc\Legacy\nggallery.php:55

filterngg_gallery_namesrc\Legacy\nggallery.php:60

actionadmin_noticessrc\Legacy\nggallery.php:65

actionwp_headsrc\Legacy\nggallery.php:70

actionthe_postsrc\Util\ThirdPartyCompatibility.php:149

actionadmin_initsrc\Util\UsageTracking.php:60

filtercron_schedulessrc\Util\UsageTracking.php:61

actionnextgen_usage_tracking_cronsrc\Util\UsageTracking.php:62

Scheduled Events 3

ngg_delete_expired_transients

nextgen_admin_notifications_update

nextgen_usage_tracking_cron

Maintenance & Trust

Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4

Last updatedMar 13, 2026

PHP min version7.0

Downloads44.3M

Community Trust

Rating86/100

Number of ratings4,337

Active installs400K

Alternatives

Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery Alternatives

Photo Gallery by 10Web – Mobile-Friendly Image Gallery

photo-gallery

Photo Gallery is a powerful image gallery plugin with a list of advanced options for creating responsive image galleries with beautiful lightbox.

200K 1 unpatched

Envira Gallery – Image Photo Gallery, Albums, Video Gallery, Slideshows & More

envira-gallery-lite

Envira Gallery is a fast, easy and powerful gallery builder with lightbox, masonry and grid layouts, albums, videos, and responsive displays and more

100K 10 CVEs

Robo Gallery – Photo & Image Slider

robo-gallery

Robo Gallery is a powerful image gallery and photo gallery plugin with advanced features to create responsive galleries with a beautiful lightbox

40K 17 CVEs

Photo Gallery – GT3 Image Gallery & Gutenberg Block Gallery

gt3-photo-video-gallery

GT3 Image Gallery - create photo gallery, video gallery, block gallery, slider and more with ease. All photo galleries are responsive and loading fast

10K 4 CVEs

Gmedia Photo Gallery

grand-media

Gmedia Gallery - photo gallery with comments, show EXIF & Metadata, gallery with map geolocation (GPS), private galleries.

8K 1 unpatched

Developer Profile

Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery Developer Profile

Syed Balkhi

94 plugins · 23.5M total installs

trust score

Avg Security Score

91/100

Avg Patch Time

795 days

View full developer profile

Detection Fingerprints

How We Detect Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/nextgen-gallery/styles/nggallery.css/wp-content/plugins/nextgen-gallery/styles/dashicons.css/wp-content/plugins/nextgen-gallery/styles/albums.css/wp-content/plugins/nextgen-gallery/styles/galleries.css/wp-content/plugins/nextgen-gallery/styles/slideshow.css/wp-content/plugins/nextgen-gallery/styles/nextgen-gallery.css/wp-content/plugins/nextgen-gallery/admin/css/common.css/wp-content/plugins/nextgen-gallery/admin/css/gallery.css+73 more

Script Paths

/wp-content/plugins/nextgen-gallery/admin/js/nggallery.js/wp-content/plugins/nextgen-gallery/admin/js/albums.js/wp-content/plugins/nextgen-gallery/admin/js/galleries.js/wp-content/plugins/nextgen-gallery/admin/js/slideshow.js/wp-content/plugins/nextgen-gallery/admin/js/nextgen-gallery.js/wp-content/plugins/nextgen-gallery/admin/js/common.js+34 more

Version Parameters

/wp-content/plugins/nextgen-gallery/styles/nggallery.css?ver=/wp-content/plugins/nextgen-gallery/styles/dashicons.css?ver=/wp-content/plugins/nextgen-gallery/styles/albums.css?ver=/wp-content/plugins/nextgen-gallery/styles/galleries.css?ver=/wp-content/plugins/nextgen-gallery/styles/slideshow.css?ver=/wp-content/plugins/nextgen-gallery/styles/nextgen-gallery.css?ver=/wp-content/plugins/nextgen-gallery/admin/css/common.css?ver=/wp-content/plugins/nextgen-gallery/admin/css/gallery.css?ver=/wp-content/plugins/nextgen-gallery/admin/css/ Galleries.css?ver=/wp-content/plugins/nextgen-gallery/admin/css/album.css?ver=/wp-content/plugins/nextgen-gallery/admin/css/media-gallery.css?ver=/wp-content/plugins/nextgen-gallery/admin/css/image-browser.css?ver=/wp-content/plugins/nextgen-gallery/admin/css/settings.css?ver=/wp-content/plugins/nextgen-gallery/admin/css/import.css?ver=/wp-content/plugins/nextgen-gallery/admin/css/uninstall.css?ver=/wp-content/plugins/nextgen-gallery/admin/css/wizard.css?ver=/wp-content/plugins/nextgen-gallery/admin/css/notices.css?ver=/wp-content/plugins/nextgen-gallery/admin/css/ngg-gallery-picker.css?ver=/wp-content/plugins/nextgen-gallery/admin/css/ngg-multiselect.css?ver=/wp-content/plugins/nextgen-gallery/admin/css/ngg-tinymce-plugin.css?ver=/wp-content/plugins/nextgen-gallery/admin/css/ngg-custom-fields.css?ver=/wp-content/plugins/nextgen-gallery/admin/css/ngg-tags.css?ver=/wp-content/plugins/nextgen-gallery/admin/css/ngg-images-bulk-edit.css?ver=/wp-content/plugins/nextgen-gallery/admin/css/ngg-lightbox.css?ver=/wp-content/plugins/nextgen-gallery/admin/css/ngg-tagcloud.css?ver=/wp-content/plugins/nextgen-gallery/admin/css/ngg-gallery-grid.css?ver=/wp-content/plugins/nextgen-gallery/admin/css/ngg-importer.css?ver=/wp-content/plugins/nextgen-gallery/admin/css/ngg-media-gallery-modal.css?ver=/wp-content/plugins/nextgen-gallery/admin/css/ngg-media-library.css?ver=/wp-content/plugins/nextgen-gallery/admin/css/ngg-album-list.css?ver=/wp-content/plugins/nextgen-gallery/admin/css/ngg-gallery-list.css?ver=/wp-content/plugins/nextgen-gallery/admin/css/ngg-slideshow.css?ver=/wp-content/plugins/nextgen-gallery/admin/js/nggallery.js?ver=/wp-content/plugins/nextgen-gallery/admin/js/albums.js?ver=/wp-content/plugins/nextgen-gallery/admin/js/galleries.js?ver=/wp-content/plugins/nextgen-gallery/admin/js/slideshow.js?ver=/wp-content/plugins/nextgen-gallery/admin/js/nextgen-gallery.js?ver=/wp-content/plugins/nextgen-gallery/admin/js/common.js?ver=/wp-content/plugins/nextgen-gallery/admin/js/gallery.js?ver=/wp-content/plugins/nextgen-gallery/admin/js/ Galleries.js?ver=/wp-content/plugins/nextgen-gallery/admin/js/album.js?ver=/wp-content/plugins/nextgen-gallery/admin/js/media-gallery.js?ver=/wp-content/plugins/nextgen-gallery/admin/js/image-browser.js?ver=/wp-content/plugins/nextgen-gallery/admin/js/settings.js?ver=/wp-content/plugins/nextgen-gallery/admin/js/import.js?ver=/wp-content/plugins/nextgen-gallery/admin/js/uninstall.js?ver=/wp-content/plugins/nextgen-gallery/admin/js/wizard.js?ver=/wp-content/plugins/nextgen-gallery/admin/js/notices.js?ver=/wp-content/plugins/nextgen-gallery/admin/js/ngg-gallery-picker.js?ver=/wp-content/plugins/nextgen-gallery/admin/js/ngg-multiselect.js?ver=/wp-content/plugins/nextgen-gallery/admin/js/ngg-tinymce-plugin.js?ver=/wp-content/plugins/nextgen-gallery/admin/js/ngg-custom-fields.js?ver=/wp-content/plugins/nextgen-gallery/admin/js/ngg-tags.js?ver=/wp-content/plugins/nextgen-gallery/admin/js/ngg-images-bulk-edit.js?ver=/wp-content/plugins/nextgen-gallery/admin/js/ngg-lightbox.js?ver=/wp-content/plugins/nextgen-gallery/admin/js/ngg-tagcloud.js?ver=/wp-content/plugins/nextgen-gallery/admin/js/ngg-gallery-grid.js?ver=/wp-content/plugins/nextgen-gallery/admin/js/ngg-importer.js?ver=/wp-content/plugins/nextgen-gallery/admin/js/ngg-media-gallery-modal.js?ver=/wp-content/plugins/nextgen-gallery/admin/js/ngg-media-library.js?ver=/wp-content/plugins/nextgen-gallery/admin/js/ngg-album-list.js?ver=/wp-content/plugins/nextgen-gallery/admin/js/ngg-gallery-list.js?ver=/wp-content/plugins/nextgen-gallery/admin/js/ngg-slideshow.js?ver=

HTML / DOM Fingerprints

CSS Classes

ngg-galleryngg-albumngg-thumbnailngg-descriptionngg-gallery-images-backendngg-gallery-backendngg-admin-containerngg-settings-form+18 more

HTML Comments

+10 more

Data Attributes

data-ngg-gallery-iddata-ngg-album-id

JS Globals

ngg_backendngg_lightboxngg_tagcloudngg_gallery_gridngg_importerngg_media_gallery_modal+12 more

REST Endpoints

/wp-json/nextgen-gallery

FAQ

Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery Security & Risk Analysis

Is Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery Safe to Use in 2026?

Mostly Safe

Key Concerns

Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery Security Vulnerabilities

CVEs by Year

Severity Breakdown

Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery Code Analysis

Bundled Libraries

SQL Query Safety

Output Escaping

Data Flow Analysis

Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery Attack Surface

AJAX Handlers 12

REST API Routes 65

Scheduled Events 3

Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery Maintenance & Trust

Maintenance Signals

Community Trust

Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery Alternatives

Photo Gallery by 10Web – Mobile-Friendly Image Gallery

Envira Gallery – Image Photo Gallery, Albums, Video Gallery, Slideshows & More

Robo Gallery – Photo & Image Slider

Photo Gallery – GT3 Image Gallery & Gutenberg Block Gallery

Gmedia Photo Gallery

Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery Developer Profile

How We Detect Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery

Asset Fingerprints

HTML / DOM Fingerprints

Frequently Asked Questions about Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery