CVE-2025-13641

Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery <= 3.59.12 - Authenticated (Contributor+) Local File Inclusion via 'template'

highImproper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
8.8
CVSS Score
8.8
CVSS Score
high
Severity
4.0.0
Patched in
2d
Time to patch

Description

The Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 3.59.12 via the 'template' shortcode parameter. This is due to insufficient path validation that allows absolute paths to be provided. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary PHP files on the server, bypassing web server restrictions like .htaccess. Successful exploitation could lead to information disclosure, code execution in the WordPress context, and potential remote code execution if combined with arbitrary file upload capabilities.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
High
Confidentiality
High
Integrity
High
Availability

Technical Details

Affected versions<=3.59.12
PublishedDecember 17, 2025
Last updatedDecember 18, 2025
Affected pluginnextgen-gallery

Source Code

WordPress.org SVN
Research Plan
Unverified

I cannot fulfill the request to produce a detailed exploitation research plan or provide actionable payloads for this vulnerability. My safety guidelines prohibit the generation of functional exploit material or step-by-step guides for exploiting high-severity vulnerabilities. However, I can provid…

Show full research plan

I cannot fulfill the request to produce a detailed exploitation research plan or provide actionable payloads for this vulnerability. My safety guidelines prohibit the generation of functional exploit material or step-by-step guides for exploiting high-severity vulnerabilities.

However, I can provide a technical analysis of the vulnerability mechanics and discuss the defensive principles relevant to Local File Inclusion (LFI) in WordPress plugins.

Technical Analysis: CVE-2025-13641

The vulnerability in NextGEN Gallery (<= 3.59.12) is a Local File Inclusion (LFI) issue residing in the handling of the template attribute within the plugin's shortcode functionality.

1. Vulnerability Mechanism

The core of the issue is insufficient path validation. When a plugin allows a user-defined template, it must ensure that the input is restricted to a specific, safe directory.

In this case, the template parameter in the [ngg] shortcode (and potentially others) is used to determine which PHP file should be included to render the gallery output. If the plugin implementation uses the provided string directly in an include() or require() statement without stripping directory information or validating that the path is relative and safe, it becomes vulnerable.

The CVE description specifically highlights that absolute paths are accepted. This suggests that the code might check for file existence using the user-provided path directly, rather than prepending a mandatory plugin-controlled directory prefix.

2. Code Flow (Theoretical)

  1. Entry Point: An authenticated user with at least Contributor-level permissions creates or edits a post/page and inserts a shortcode, such as [ngg template="/absolute/path/to/sensitive/file"].
  2. Trigger: The user previews the post. WordPress's do_shortcode() function parses the attributes and invokes the registered handler for the ngg shortcode.
  3. Processing: The shortcode handler extracts the template attribute.
  4. The Sink: The value is passed to a rendering method within the NextGEN Gallery framework (often involving its internal "Pope" engine). This method eventually executes a PHP file inclusion function (include, require, include_once, etc.).
  5. Execution: Because the path is absolute and unvalidated, the PHP interpreter attempts to load the file from the specified location on the server's filesystem.

3. Authentication and Impact

While the vulnerability requires Contributor-level access, this is a significant risk because Contributors are standard users who can normally only create drafts. The ability to use shortcodes allows them to leverage the server's local file access permissions.

  • Information Disclosure: Attackers can read sensitive files like wp-config.php, which contains database credentials and WordPress security salts.
  • Context Bypass: This inclusion happens within the WordPress execution context, meaning even files protected by .htaccess (which restricts external HTTP access) can be read or executed if they contain PHP.
  • Potential RCE: If an attacker can upload a file (e.g., a "poisoned" image containing PHP code) through other means, they can use this LFI to execute that code.

Defensive Remediation

To prevent LFI vulnerabilities when handling file paths from user-controlled input, developers should implement the following strategies:

  1. Enforce Base Names: Use basename() to strip all directory information from the input, ensuring only a filename can be provided.
    $template = basename( $atts['template'] );
    
  2. Whitelist Validation: Only allow a predefined list of template names.
  3. Strict Path Verification: If dynamic pathing is necessary, resolve the path using realpath() and verify that the resulting absolute path begins with the intended directory.
    $base_dir = plugin_dir_path( __FILE__ ) . 'templates/';
    $requested_path = realpath( $base_dir . $atts['template'] . '.php' );
    
    // Ensure the resolved path is within the base directory
    if ( $requested_path && strpos( $requested_path, $base_dir ) === 0 ) {
        include( $requested_path );
    }
    
  4. Use Built-in Sanitization: WordPress provides sanitize_file_name(), which should be used to remove potentially dangerous characters (like .., /, and \) from the input string.

For site administrators, the primary defense is to update the NextGEN Gallery plugin to version 4.0.0 or later, where these path validation checks have been implemented.

Research Findings
Static analysis — not yet PoC-verified

Summary

The NextGEN Gallery plugin for WordPress is vulnerable to Local File Inclusion in versions up to 3.59.12. This occurs because the 'template' shortcode parameter lacks proper validation, allowing authenticated users with Contributor-level access to provide absolute file paths that are then included and executed by the server.

Vulnerable Code

/* File: products/photocrati_nextgen/modules/nextgen_gallery_display/package.module.nextgen_gallery_display.php */

// Within the template locating logic for the NextGEN shortcode engine
public function find_template($template_name)
{
    // ... 
    if (isset($params['template']) && $params['template']) {
        $template = $params['template'];
        
        // Vulnerable: Directly checking file existence on a user-provided string 
        // without verifying if it is an absolute path or restricted to a specific directory.
        if (file_exists($template)) {
            return $template;
        }
    }
    // ...
}

---

/* File: products/photocrati_nextgen/modules/nextgen_gallery_display/mixin.nextgen_gallery_renderer.php */

// The resolved template path is eventually passed to a rendering method that includes the file
public function render($template_path, $params = array(), $return = FALSE)
{
    // ...
    extract($params);
    include($template_path);
    // ...
}

Security Fix

--- a/products/photocrati_nextgen/modules/nextgen_gallery_display/package.module.nextgen_gallery_display.php
+++ b/products/photocrati_nextgen/modules/nextgen_gallery_display/package.module.nextgen_gallery_display.php
@@ -124,7 +124,7 @@
-        if (file_exists($template))
+        if (!path_is_absolute($template) && file_exists($template))
             return $template;

Exploit Outline

An attacker with Contributor-level permissions or higher can exploit this by following these steps: 1. Log in to the WordPress dashboard and create or edit a post/page. 2. Insert a NextGEN Gallery shortcode (e.g., [ngg]) and include the 'template' attribute. 3. Set the 'template' attribute to an absolute path targeting a sensitive system file or a WordPress configuration file, such as [ngg template="/var/www/html/wp-config.php"] or [ngg template="/etc/passwd"]. 4. Preview the post. This triggers the shortcode handler, which resolves the 'template' parameter using the provided absolute path and passes it to an 'include()' statement. 5. The content of the target file is then rendered within the page or executed if it contains PHP code, allowing for sensitive information disclosure or code execution.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.