CVE-2026-1463

Name of the Vulnerable Software and Affected Versions NextGEN Gallery versions prior to 4.0.4

Description The NextGEN Gallery plugin for WordPress is susceptible to a Local File Inclusion issue. This affects versions up to and including 4.0.3. The issue is triggered through the template parameter within gallery shortcodes. Successful exploitation allows authenticated attackers with Author-level access or higher to include and execute arbitrary .php files on the server. This can lead to bypassing access controls, obtaining sensitive data, or achieving code execution if .php files can be uploaded and included. The vulnerable parameter is template.

Recommendations Update NextGEN Gallery to version 4.0.4 or later.