CVE-2025-13641 in Photo Gallery, Sliders, Proofing and Themes Plugin
Summary
by MITRE • 12/18/2025
The Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 3.59.12 via the 'template' shortcode parameter. This is due to insufficient path validation that allows absolute paths to be provided. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary PHP files on the server, bypassing web server restrictions like .htaccess. Successful exploitation could lead to information disclosure, code execution in the WordPress context, and potential remote code execution if combined with arbitrary file upload capabilities.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 12/20/2025
The vulnerability identified as CVE-2025-13641 affects the NextGEN Gallery plugin for WordPress, specifically targeting versions up to and including 3.59.12. This plugin serves as a popular media management solution for WordPress sites, handling photo galleries, sliders, and themes. The vulnerability manifests through the 'template' shortcode parameter, which is designed to allow users to specify template files for rendering gallery content. However, the implementation lacks proper input validation and sanitization, creating a critical security flaw that can be exploited by authenticated attackers.
The technical flaw stems from insufficient path validation mechanisms within the plugin's template handling functionality. When the 'template' parameter is processed, the system does not adequately verify or sanitize the provided file path, allowing absolute paths to be passed directly to file inclusion functions. This weakness aligns with CWE-22, which describes improper limitation of a pathname to a restricted directory, commonly known as path traversal vulnerabilities. The vulnerability specifically enables local file inclusion attacks where an attacker can manipulate the template parameter to include arbitrary PHP files stored on the server filesystem.
Authenticated attackers with Contributor-level access or higher can exploit this vulnerability to execute arbitrary PHP code on the target WordPress installation. This privilege escalation capability is particularly dangerous because it allows attackers to bypass standard web server security restrictions such as .htaccess rules that typically prevent direct access to sensitive files. The exploitation process enables attackers to include and execute PHP files that exist on the server, potentially accessing configuration files, database credentials, or other sensitive information. The impact extends beyond simple information disclosure to full code execution within the WordPress context, providing attackers with significant control over the affected system.
The operational consequences of this vulnerability are severe and multifaceted. Successful exploitation could result in complete compromise of the WordPress installation, allowing attackers to install backdoors, modify content, steal user data, or establish persistent access to the system. The vulnerability's combination with other capabilities, such as arbitrary file upload functionality, significantly amplifies the threat landscape by enabling attackers to upload malicious files and subsequently include them through this LFI vulnerability. This creates a complete remote code execution scenario that can lead to full system compromise. Organizations should immediately implement mitigations including plugin updates, input validation hardening, and access control restrictions to protect against exploitation attempts.
Security practitioners should reference the ATT&CK framework's technique T1505.003 for Lateral Movement through Unsecured File and Directory Permissions, which aligns with the exploitation pathway of this vulnerability. The vulnerability also relates to ATT&CK technique T1059.001 for Command and Scripting Interpreter, as the ability to execute arbitrary PHP code directly translates to command execution capabilities within the target environment. Organizations must prioritize patch management and implement proper input validation measures to prevent similar vulnerabilities from being exploited in their WordPress environments, particularly given the widespread use of the NextGEN Gallery plugin across numerous websites and applications.