CVE-2025-13641
📋 TL;DR
This vulnerability allows authenticated WordPress users with Contributor-level access or higher to include and execute arbitrary PHP files on the server via the 'template' shortcode parameter in NextGEN Gallery. This bypasses web server restrictions and can lead to information disclosure or code execution. All WordPress sites using NextGEN Gallery versions up to 3.59.12 are affected.
💻 Affected Systems
- NextGEN Gallery - Photo Gallery, Sliders, Proofing and Themes for WordPress
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Full server compromise through remote code execution if combined with file upload capabilities, leading to data theft, site defacement, or malware distribution.
Likely Case
Unauthorized access to sensitive files, privilege escalation within WordPress, and potential code execution in the WordPress context.
If Mitigated
Limited impact if proper access controls and file permissions are in place, though information disclosure may still occur.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward once credentials are obtained; weaponization is likely due to the critical nature and ease of exploitation.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.59.13 or later
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find NextGEN Gallery and click 'Update Now'. 4. Verify update to version 3.59.13 or higher.
🔧 Temporary Workarounds
Restrict User Roles
allTemporarily limit Contributor and higher roles or disable the plugin until patched.
🧯 If You Can't Patch
- Disable the NextGEN Gallery plugin immediately.
- Implement strict file permissions and monitor for suspicious file inclusion attempts.
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel under Plugins > Installed Plugins for NextGEN Gallery version 3.59.12 or lower.Check Version:
wp plugin list --name=nextgen-gallery --field=version (if WP-CLI is installed)Verify Fix Applied:
Confirm NextGEN Gallery version is 3.59.13 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unusual file inclusion requests in web server logs, especially involving 'template' parameter with absolute paths.
Network Indicators:
- HTTP requests with 'template' parameter containing absolute paths or unusual file extensions.
SIEM Query:
web_access_logs WHERE url CONTAINS 'template=' AND (url CONTAINS '/etc/' OR url CONTAINS 'C:\' OR url CONTAINS '.php')🔗 References
- https://plugins.trac.wordpress.org/browser/nextgen-gallery/trunk/src/DisplayType/Controller.php#L369
- https://plugins.trac.wordpress.org/browser/nextgen-gallery/trunk/src/DisplayType/LegacyTemplateLocator.php#L152
- https://plugins.trac.wordpress.org/changeset/3415575/nextgen-gallery/trunk/src/DisplayType/LegacyTemplateLocator.php?old=3004370&old_path=nextgen-gallery%2Ftrunk%2Fsrc%2FDisplayType%2FLegacyTemplateLocator.php
- https://www.wordfence.com/threat-intel/vulnerabilities/id/0a01e1c9-67f4-4cc1-b58b-9cc141889d66?source=cve
