Local File Inclusion in NextGEN Gallery Plugin for WordPress
CVE-2025-13641

8.8HIGH

Key Information:

Vendor: WordPress
Status: Photo Gallery, Sliders, Proofing And Themes – Nextgen Gallery
Vendor: CVE Published:; 18 December 2025

What is CVE-2025-13641?

The NextGEN Gallery plugin for WordPress has a Local File Inclusion vulnerability that affects all versions up to and including 3.59.12. This security flaw arises from inadequate path validation in the 'template' shortcode parameter, allowing attackers with Contributor-level access and above to introduce absolute paths. As a result, it becomes feasible for authorized attackers to include and execute arbitrary PHP files on the server. This exploitation can circumvent standard web server security measures, such as .htaccess, potentially leading to sensitive information leakage, unauthorized code execution within the WordPress environment, and even remote code execution risks when coupled with capabilities for arbitrary file uploads.

Affected Version(s)

Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery * <= 3.59.12

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/nextgen-galler...

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 18, 2025
Vulnerability Reserved
Nov 25, 2025

Credit

Athiwat Tiprasaharn

JSON