PT-2026-42122 · WordPress · Nextgen Gallery
Published
2026-05-20
·
Updated
2026-05-20
·
CVE-2026-9059
CVSS v4.0
9.3
Critical
| Vector | AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Name of the Vulnerable Software and Affected Versions
NextGEN Gallery versions prior to 4.2.1
Description
Authenticated users with the 'NextGEN Gallery overview' capability, typically assigned to the Administrator role, can perform SQL injection by sending arbitrary SQL into the 'ORDER BY' clause. This occurs due to the
clean column() function in the data mapper layer using a character blacklist instead of a whitelist for sanitization. The issue affects the orderby parameter on the REST API endpoints '/imagely/v1/galleries' and '/imagely/v1/albums'.Recommendations
Update to version 4.2.1 or later.
As a temporary workaround, restrict access to the '/imagely/v1/galleries' and '/imagely/v1/albums' endpoints or avoid using the
orderby parameter until the update is applied.Fix
SQL injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Nextgen Gallery