Cyber Posture

CVE-2025-13641

High

Published: 18 December 2025

Published
18 December 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0018 39.0th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

The Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 3.59.12 via the 'template' shortcode parameter. This is due to insufficient path validation that…

more

allows absolute paths to be provided. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary PHP files on the server, bypassing web server restrictions like .htaccess. Successful exploitation could lead to information disclosure, code execution in the WordPress context, and potential remote code execution if combined with arbitrary file upload capabilities.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Remediates the specific LFI flaw in the NextGEN Gallery plugin by identifying, prioritizing, and patching the insufficient path validation in the 'template' shortcode parameter.

SI-10 Information Input Validation good match
prevent

Enforces input validation at entry points like the 'template' shortcode parameter to block absolute paths and prevent arbitrary PHP file inclusion.

AC-6 Least Privilege partial match
prevent

Applies least privilege to restrict Contributor-level users from exploiting the vulnerable shortcode, limiting the attack surface to higher-privileged roles.

Security SummaryAI

CVE-2025-13641 is a Local File Inclusion (LFI) vulnerability affecting the Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery plugin for WordPress in all versions up to and including 3.59.12. The flaw arises from insufficient path validation in the 'template' shortcode parameter, which permits the use of absolute paths. This issue is cataloged under CWE-98 and carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

Authenticated attackers with Contributor-level access or higher can exploit this vulnerability over the network with low complexity. By supplying a malicious absolute path via the 'template' parameter, they can include and execute arbitrary PHP files on the server, circumventing web server restrictions such as .htaccess. Exploitation may result in information disclosure, code execution within the WordPress context, and potential remote code execution if paired with arbitrary file upload features.

References include source code locations in Controller.php and LegacyTemplateLocator.php, a changeset 3415575 applying fixes to LegacyTemplateLocator.php, and Wordfence threat intelligence detailing the vulnerability (ID: 0a01e1c9-67f4-4cc1-b58b-9cc141889d66). Security practitioners should review these for patch details and update to a remediated version of the plugin.

Details

CWE(s)
CWE-98

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
attack.mitre.org →
Why these techniques?

LFI vulnerability in public-facing WordPress plugin enables remote exploitation of web application (T1190) and arbitrary local file reads for data disclosure (T1005).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References