NextGEN Gallery < 3.39 - Admin+ Local File Inclusion
Description
The NextGEN Gallery plugin before 3.39 allows Admin users to perform Local File Inclusion via unvalidated block attributes.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The NextGEN Gallery plugin before 3.39 allows Admin users to perform Local File Inclusion via unvalidated block attributes.
Vulnerability
The WordPress Gallery Plugin (NextGEN Gallery) before version 3.39 fails to validate certain block attributes before using them to construct file paths passed to PHP include functions. This vulnerability, classified as CWE-22 (Path Traversal), allows users with Administrator privileges to include arbitrary files from the server via crafted block attributes [1].
Exploitation
An attacker with Administrator access to a WordPress site using the affected plugin can create or edit a post/page containing a NextGEN Gallery block. By manipulating specific block attributes (e.g., source, template), the attacker can inject path traversal sequences to include arbitrary local files. No additional user interaction is required beyond the attacker's own admin actions [1].
Impact
Successful exploitation leads to Local File Inclusion (LFI). An attacker can read sensitive files on the server, such as the wp-config.php file containing database credentials, or other system files. This can result in full information disclosure and potentially further compromise if credentials are exposed [1].
Mitigation
The vulnerability is fixed in version 3.39 of the NextGEN Gallery plugin. Users should update to version 3.39 or later immediately. As of the publication date, no workarounds are documented; updating is the recommended mitigation [1].
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: <3.39
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing validation of block attributes before using them to generate paths passed to include functions, enabling path traversal."
Attack vector
An authenticated attacker with Admin-level privileges crafts a block attribute containing path traversal sequences (e.g., `../`). The plugin does not validate these attributes before using them to construct a file path that is passed to an include function [ref_id=1]. This allows the attacker to include arbitrary files from the server, leading to Local File Inclusion (LFI) [CWE-22]. The attack is performed through the WordPress block editor by supplying a malicious attribute value in a NextGEN Gallery block.
Affected code
The advisory does not specify exact file paths or function names. The vulnerability exists in the block attribute handling logic of the NextGEN Gallery plugin before version 3.39, where block attributes are used to generate file paths passed to PHP include functions without proper validation [ref_id=1].
What the fix does
The advisory states the fix was released in version 3.39 of the NextGEN Gallery plugin [ref_id=1]. No patch diff is provided in the bundle, but the remediation involves adding validation to block attributes before they are used to generate file paths for include functions. Administrators should update to version 3.39 or later to close the vulnerability.
Preconditions
- authAttacker must have Admin-level privileges on the WordPress site
- configThe NextGEN Gallery plugin version must be earlier than 3.39
- inputAttacker must be able to edit posts/pages using the block editor with NextGEN Gallery blocks
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- wpscan.com/vulnerability/3b7a7070-8d61-4ff8-b003-b4ff06221635mitreexploitvdb-entrytechnical-description
News mentions
0No linked articles in our index yet.