Where should operators start on this Plugin hub?

Start with the priority CVE quick links, then open the full report for affected versions, remediation notes, CVSS vectors, and source references.

Plugin Vulnerability Hub

Plugin 36 known issues Latest disclosed Mar 17, 2026

Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery Vulnerabilities

Q: How many Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery vulnerabilities have patch guidance?

36 of 36 tracked Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery records include a published patch path.

Review known vulnerability records for the WordPress plugin Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery (`nextgen-gallery`), including severity, CVE references, affected versions, and patch status.

Recent tracked CVEs on this page include CVE-2026-1463, CVE-2025-13641 and CVE-2024-10545, so operators can jump from disclosure to patch validation without scanning the full feed first.

View on WordPress.org Back to Feed

Known Records

High or Critical

Patch Coverage

100%

Last Updated

Mar 18, 2026

Priority CVE Quick Links

Fast paths into Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery CVE reports

Start with the highest-signal CVE records for this WordPress plugin before scanning the full vulnerability feed.

Indexed CVEs

CVE-2019-14314 Critical 3.2.11

CVE-2019-14314 Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery SQL Injection

NextGEN Gallery <= 3.2.10 - SQL Injection

CVE-2016-10889 Critical 2.1.57

CVE-2016-10889 Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery Local File Inclusion

NextGEN Gallery <= 2.1.56 - Authenticated Local File Inclusion & SQL injection

CVE-2013-3684 Critical 1.9.13

CVE-2013-3684 Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery Arbitrary File Upload

WordPress Gallery Plugin – NextGEN Gallery <= 1.9.12 - Arbitrary File Upload

CVE-2026-1463 High 4.0.5

CVE-2026-1463 Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery Local File Inclusion

Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery <= 4.0.4 - Authenticated (Author+) Local File Inclusion

CVE-2025-13641 High 4.0.0

CVE-2025-13641 Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery Remote Code Execution

Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery <= 3.59.12 - Authenticated (Contributor+) Local File Inclusion via 'template'

CVE-2020-35943 High 3.5.0

CVE-2020-35943 Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery Arbitrary File Upload

WordPress Gallery Plugin – NextGEN Gallery <= 3.4.7 - Cross-Site Request Forgery to Arbitrary File Upload

CVE-2020-35942 High 3.5.0

CVE-2020-35942 Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery Remote Code Execution

WordPress Gallery Plugin – NextGEN Gallery <= 3.4.7 - Cross-Site Request Forgery

CVE-2015-9228 High 2.1.15

CVE-2015-9228 Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery File Upload

NextGen Gallery <= 2.1.10 - Unrestricted File Upload

Coverage Snapshot

What this page helps you verify fast

This hub clusters every indexed record for Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery so operators can confirm whether a disclosed issue maps to the installed slug, version range, and patch path.

Patch Visibility

36 records include a published patch path, leaving 0 with no listed safe release yet.

Severity Mix

3 critical and 15 high severity findings.

Recent CVEs

CVE-2026-1463, CVE-2025-13641 and CVE-2024-10545

Reference Workflow

Jump from the hub into the full report when you need remediation notes, exploit context, CVSS vectors, or source references.

Triage First

Open the records most likely to drive action

These recent records surface the CVE strings, patch cues, and direct report links most operators need first.

CVE-2026-1463 High Patch path listed

CVE-2026-1463: Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery <= 4.0.4 - Authenticated (Author+) Local File Inclusion

The Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 4.0.3 via the 'template' pa...

Published

Mar 17, 2026

Patch Status

4.0.5

Open CVE-2026-1463 Report

CVE-2025-13641 High Patch path listed

CVE-2025-13641: Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery <= 3.59.12 - Authenticated (Contributor+) Local File Inclusion via 'template'

The Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 3.59.12 via the 'template'...

Published

Dec 17, 2025

Patch Status

4.0.0

Open CVE-2025-13641 Report

CVE-2024-10545 Medium Patch path listed

CVE-2024-10545: Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery <= 3.59.8 - Authenticated (Admin+) Stored Cross-Site Scripting

The Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 3...

Published

Feb 04, 2025

Patch Status

3.59.9

Open CVE-2024-10545 Report

Known Vulnerabilities

Reports for Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery

Sorted by latest disclosure date so newly published issues surface first.

Plugin High Patched: Yes CVE-2026-1463

CVE-2026-1463: Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery <= 4.0.4 - Authenticated (Author+) Local File Inclusion

The Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 4.0.3 via the 'template' parameter in gallery shortcodes. This makes it possible for authenticated attackers, with Au...

Published

Mar 17, 2026

Patched Release

4.0.5

Affected Versions

Versions up to 4.0.4

Next Step

Update to 4.0.5 or newer if supported.

Open CVE-2026-1463 Report Open CVE Reference

Plugin High Patched: Yes CVE-2025-13641

CVE-2025-13641: Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery <= 3.59.12 - Authenticated (Contributor+) Local File Inclusion via 'template'

The Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 3.59.12 via the 'template' shortcode parameter. This is due to insufficient path validation that allows absolute path...

Published

Dec 17, 2025

Patched Release

4.0.0

Affected Versions

Versions up to 3.59.12

Next Step

Update to 4.0.0 or newer if supported.

Open CVE-2025-13641 Report Open CVE Reference

Plugin Medium Patched: Yes CVE-2024-10545

CVE-2024-10545: Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery <= 3.59.8 - Authenticated (Admin+) Stored Cross-Site Scripting

The Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 3.59.8 due to insufficient input sanitization and output escaping. This makes it possible f...

Published

Feb 04, 2025

Patched Release

3.59.9

Affected Versions

Versions up to 3.59.8

Next Step

Update to 3.59.9 or newer if supported.

Open CVE-2024-10545 Report Open CVE Reference

Plugin Medium Patched: Yes CVE-2024-6393

CVE-2024-6393: NextGEN Gallery <= 3.39.4 - Authenticated (Administrator+) Stored Cross-Site Scripting

The Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 3.39.4 due to insufficient input sanitization and output escaping. This makes it possible f...

Published

Nov 04, 2024

Patched Release

3.39.5

Affected Versions

Versions up to 3.39.4

Next Step

Update to 3.39.5 or newer if supported.

Open CVE-2024-6393 Report Open CVE Reference

Plugin Medium Patched: Yes CVE-2024-39627

CVE-2024-39627: NextGEN Gallery <= 3.59.3 - Authenticated (Administrator+) Stored Cross-Site Scripting

The NextGEN Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 3.59.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access and above...

Published

Jul 22, 2024

Patched Release

3.59.4

Affected Versions

Versions up to 3.59.3

Next Step

Update to 3.59.4 or newer if supported.

Open CVE-2024-39627 Report Open CVE Reference

Plugin Medium Patched: Yes CVE-2024-5442

CVE-2024-5442: Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery <= 3.59.2 - Authenticated (Admin+) Stored Cross-Site Scripting via Gallery

The Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Gallery settings in all versions up to, and including, 3.59.2 due to insufficient input sanitization and output escaping. This makes it possible...

Published

Jun 22, 2024

Patched Release

3.59.3

Affected Versions

Versions up to 3.59.2

Next Step

Update to 3.59.3 or newer if supported.

Open CVE-2024-5442 Report Open CVE Reference

Plugin Medium Patched: Yes CVE-2024-2744

CVE-2024-2744: Nextgen Gallery <= 3.59 - Authenticated (Administrator+) Stored Cross-Site Scripting

The NextGEN Gallery – Create an Amazing Photo Gallery in Seconds plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 3.59 due to insufficient input sanitization and output escaping. This makes it possible for...

Published

Apr 26, 2024

Patched Release

3.59.1

Affected Versions

Versions up to 3.59

Next Step

Update to 3.59.1 or newer if supported.

Open CVE-2024-2744 Report Open CVE Reference

Plugin Medium Patched: Yes CVE-2024-3097

CVE-2024-3097: WordPress Gallery Plugin – NextGEN Gallery <= 3.59 - Missing Authorization to Unauthenticated Information Disclosure

The WordPress Gallery Plugin – NextGEN Gallery plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the get_item function in versions up to, and including, 3.59. This makes it possible for unauthenticated attackers to extract sens...

Published

Apr 05, 2024

Patched Release

3.59.1

Affected Versions

Versions up to 3.59

Next Step

Update to 3.59.1 or newer if supported.

Open CVE-2024-3097 Report Open CVE Reference

Plugin Medium Patched: Yes CVE-2023-48328

CVE-2023-48328: NextGEN Gallery <= 3.37 - Cross-Site Request Forgery

The NextGEN Gallery plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.37. This is due to missing or incorrect nonce validation on an unknown function. This makes it possible for unauthenticated attackers to dismiss notices via a...

Published

Nov 23, 2023

Patched Release

3.39

Affected Versions

Versions up to 3.37

Next Step

Update to 3.39 or newer if supported.

Open CVE-2023-48328 Report Open CVE Reference

Plugin High Patched: Yes CVE-2023-3154

CVE-2023-3154: WordPress Gallery Plugin – NextGEN Gallery <= 3.38 - Authenticated (Admin+) PHAR Deserialization

The WordPress Gallery Plugin – NextGEN Gallery plugin for WordPress is vulnerable to PHAR Deserialization in all versions up to, and including, 3.38 via deserialization of untrusted input in the gallery_edit function. This makes it possible for authenticated attackers, with admin...

Published

Sep 25, 2023

Patched Release

3.39

Affected Versions

Versions up to 3.38

Next Step

Update to 3.39 or newer if supported.

Open CVE-2023-3154 Report Open CVE Reference

Plugin Medium Patched: Yes CVE-2023-3155

CVE-2023-3155: NextGEN Gallery <= 3.37 - Authenticated (Admininistrator+) Arbitrary File Read and Deletion in gallery_edit

The NextGEN Gallery plugin for WordPress is vulnerable to Arbitrary File Read and Deletion in versions up to, and including, 3.37. This is due to insufficient input validation within the gallery_edit function. This makes it possible for authenticated attackers, with administrator...

Published

Sep 25, 2023

Patched Release

3.39

Affected Versions

Versions up to 3.37

Next Step

Update to 3.39 or newer if supported.

Open CVE-2023-3155 Report Open CVE Reference

Plugin Medium Patched: Yes CVE-2023-3279

CVE-2023-3279: WordPress Gallery Plugin – NextGEN Gallery <= 3.38 - Authenticated (Admin+) Local File Inclusion

The WordPress Gallery Plugin – NextGEN Gallery plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 3.38 via the 'Select View' field in the plugin's developer tools. This makes it possible for authenticated attackers, with administrator...

Published

Sep 25, 2023

Patched Release

3.39

Affected Versions

Versions up to 3.38

Next Step

Update to 3.39 or newer if supported.

Open CVE-2023-3279 Report Open CVE Reference