CVE-2026-1463 - Vulnerability Analysis
HighCVSS: 8.8Last Updated: March 18, 2026
NextGEN Gallery - Local File Inclusion
Published: March 18, 2026Updated: March 18, 2026Remote Exploitable
Overview
NextGEN Gallery WordPress plugin <= 4.0.3 contains a local file inclusion vulnerability caused by improper validation of the 'template' parameter in gallery shortcodes, letting authenticated attackers with Author-level access execute arbitrary PHP files on the server.
Severity & Score
Severity: High
CVSS Score: 8.8
Impact
Authenticated attackers can execute arbitrary PHP code, bypass access controls, and obtain sensitive data, potentially leading to full server compromise.
Mitigation
Update to the latest version of NextGEN Gallery plugin.
References
- https://plugins.trac.wordpress.org/changeset/3460327/nextgen-gallery/trunk/src/DisplayType/LegacyTemplateLocator.php?old=3423202&old_path=nextgen-gallery%2Ftrunk%2Fsrc%2FDisplayType%2FLegacyTemplateLocator.php
- https://www.wordfence.com/threat-intel/vulnerabilities/id/2d7bc556-cdaf-42a7-8801-ad2e4945a137?source=cve
- https://plugins.trac.wordpress.org/browser/nextgen-gallery/tags/4.0.3/src/DisplayType/Controller.php#L369
- https://plugins.trac.wordpress.org/browser/nextgen-gallery/tags/4.0.3/src/DisplayType/LegacyTemplateLocator.php#L140
Related Resources
Details
- CVE ID
- CVE-2026-1463
- Severity
- High
- CVSS Score
- 8.8
- Type
- file_inclusion
- Status
- new
CWE
- CWE-98
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H