WordPress Gallery Plugin – NextGEN Gallery

Software Type	Plugin
Software Slug	nextgen-gallery (view on wordpress.org)
Software Status	Active
Software Author	smub
Software Website	www.imagely.com
Software Downloads	38,425,798
Software Active Installs	500,000
Software Record Last Updated	November 28, 2023

Showing 1-20 of 30 Vulnerabilities

NextGEN Gallery <= 3.37 - Cross-Site Request Forgery

4.3

CVE-2023-48328

Nov 23, 2023

Researcher: Vladislav Pokrovsky (ΞX.MI)

WordPress Gallery Plugin – NextGEN Gallery <= 3.38 - Authenticated (Admin+) Local File Inclusion

4.9

CVE-2023-3279

Sep 25, 2023

Researcher: Alex Sanford

WordPress Gallery Plugin – NextGEN Gallery <= 3.38 - Authenticated (Admin+) PHAR Deserialization

7.2

CVE-2023-3154

Sep 25, 2023

Researcher: Linwz

NextGEN Gallery <= 3.37 - Authenticated (Admininistrator+) Arbitrary File Read and Deletion in gallery_edit

6.5

CVE-2023-3155

Sep 25, 2023

Researcher: Linwz

Freemius SDK <= 2.5.9 - Reflected Cross-Site Scripting via fs_request_get

6.1

CVE-2023-33999

Jul 18, 2023

Researcher: Rafie Muhammad

NextGEN Gallery <= 3.28 - Cross-Site Request Forgery leading to Post Thumbnail Change

4.3

CVE-2022-38468

Feb 14, 2023

Researcher: István Márton

WordPress Gallery Plugin – NextGEN Gallery <= 3.4.7 - Cross-Site Request Forgery

8.8

CVE-2020-35942

Dec 17, 2020

Researcher: Ram

WordPress Gallery Plugin – NextGEN Gallery <= 3.4.7 - Cross-Site Request Forgery to Arbitrary File Upload

8.8

CVE-2020-35943

Dec 17, 2020

Researcher: Ram

NextGEN Gallery <= 3.2.10 - SQL Injection

9.8

CVE-2019-14314

Aug 27, 2019

Researcher: Tin Duong

Freemius SDK <= 2.2.3 - Missing Authorization to Arbitrary Options Update

8.8

CVE ID Unknown

Feb 25, 2019

Researchers:

NextGen Gallery <= 3.1.5 - PHP Object Injection

8.8

CVE ID Unknown

Feb 4, 2019

Researcher: Slavco Mihajloski

WordPress Gallery Plugin – NextGEN Gallery <= 2.2.46 - Sensitive Information Disclosure

7.5

CVE-2018-7586

Mar 2, 2018

Researchers:

NextGEN Gallery <= 2.2.44 - Cross-Site Scripting via image alt and title text

4.8

CVE-2018-1000172

Feb 14, 2018

Researcher: Zhouyuan Yang

NextGen Gallery <= 2.1.77 - SQL Injection

8.3

CVE ID Unknown

Feb 17, 2017

Researcher: Slavco Mihajloski

NextGEN Gallery <= 2.1.56 - Authenticated Local File Inclusion & SQL injection

9.8

CVE-2016-10889

Nov 15, 2016

Researchers:

NextGen Gallery <= 2.1.56 - Remote File Inclusion

7.5

CVE-2016-6565

Nov 15, 2016

Researcher: Mukhammad Khalilov

NextGen Gallery <= 2.1.10 - Unrestricted File Upload

8.8

CVE-2015-9228

Dec 23, 2015

Researcher: Sathish Kumar

WordPress Gallery Plugin – NextGEN Gallery <= 2.1.15 - Authenticated (Admin+) Cross-Site Scripting

5.5

CVE-2015-9229

Sep 14, 2015

Researcher: cybersecurityworks

NextGen Gallery <= 2.1.9 - Cross-Site Scripting

6.4

CVE-2015-9537

Aug 31, 2015

Researcher: Sathish Kumar

NextGen Gallery <= 2.1.7 - Path Traversal

6.5

CVE ID Unknown

Aug 28, 2015

Researcher: Sathish Kumar

Title	CVE ID	CVSS	Researchers	Date
NextGEN Gallery <= 3.37 - Cross-Site Request Forgery	CVE-2023-48328	4.3	Vladislav Pokrovsky (ΞX.MI)	November 23, 2023
WordPress Gallery Plugin – NextGEN Gallery <= 3.38 - Authenticated (Admin+) Local File Inclusion	CVE-2023-3279	4.9	Alex Sanford	September 25, 2023
WordPress Gallery Plugin – NextGEN Gallery <= 3.38 - Authenticated (Admin+) PHAR Deserialization	CVE-2023-3154	7.2	Linwz	September 25, 2023
NextGEN Gallery <= 3.37 - Authenticated (Admininistrator+) Arbitrary File Read and Deletion in gallery_edit	CVE-2023-3155	6.5	Linwz	September 25, 2023
Freemius SDK <= 2.5.9 - Reflected Cross-Site Scripting via fs_request_get	CVE-2023-33999	6.1	Rafie Muhammad	July 18, 2023
NextGEN Gallery <= 3.28 - Cross-Site Request Forgery leading to Post Thumbnail Change	CVE-2022-38468	4.3	István Márton	February 14, 2023
WordPress Gallery Plugin – NextGEN Gallery <= 3.4.7 - Cross-Site Request Forgery	CVE-2020-35942	8.8	Ram	December 17, 2020
WordPress Gallery Plugin – NextGEN Gallery <= 3.4.7 - Cross-Site Request Forgery to Arbitrary File Upload	CVE-2020-35943	8.8	Ram	December 17, 2020
NextGEN Gallery <= 3.2.10 - SQL Injection	CVE-2019-14314	9.8	Tin Duong	August 27, 2019
Freemius SDK <= 2.2.3 - Missing Authorization to Arbitrary Options Update		8.8		February 25, 2019
NextGen Gallery <= 3.1.5 - PHP Object Injection		8.8	Slavco Mihajloski	February 4, 2019
WordPress Gallery Plugin – NextGEN Gallery <= 2.2.46 - Sensitive Information Disclosure	CVE-2018-7586	7.5		March 2, 2018
NextGEN Gallery <= 2.2.44 - Cross-Site Scripting via image alt and title text	CVE-2018-1000172	4.8	Zhouyuan Yang	February 14, 2018
NextGen Gallery <= 2.1.77 - SQL Injection		8.3	Slavco Mihajloski	February 17, 2017
NextGEN Gallery <= 2.1.56 - Authenticated Local File Inclusion & SQL injection	CVE-2016-10889	9.8		November 15, 2016
NextGen Gallery <= 2.1.56 - Remote File Inclusion	CVE-2016-6565	7.5	Mukhammad Khalilov	November 15, 2016
NextGen Gallery <= 2.1.10 - Unrestricted File Upload	CVE-2015-9228	8.8	Sathish Kumar	December 23, 2015
WordPress Gallery Plugin – NextGEN Gallery <= 2.1.15 - Authenticated (Admin+) Cross-Site Scripting	CVE-2015-9229	5.5	cybersecurityworks	September 14, 2015
NextGen Gallery <= 2.1.9 - Cross-Site Scripting	CVE-2015-9537	6.4	Sathish Kumar	August 31, 2015
NextGen Gallery <= 2.1.7 - Path Traversal		6.5	Sathish Kumar	August 28, 2015

All the threat data shared in this database is powered by Wordfence Intelligence Enterprise.
Interested in integrating this data into your platform or network?
Contact us now to discuss API access to our Wordfence Intelligence Enterprise Data Feeds.

Inquire Now

Want to get notified of the latest vulnerabilities that may affect your WordPress site?
Install Wordfence on your site today to get notified immediately if your site is affected by a vulnerability that has been added to our database.

Get Wordfence

The Wordfence Intelligence WordPress vulnerability database is completely free to access and query via API. Please review the documentation on how to access and consume the vulnerability data via API.

Documentation