Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total14
Critical0
High4
Medium9
Reset
Showing 1-14 of 14 records
Threat Entry Updated 2026-03-19

CVE-2026-1463 - Nextgen Gallery Plugin

The Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 4.0.3 via the 'template' parameter in gallery shortcodes. This makes it possible for authenticated attackers, with Author-level access and above, to include and execute arbitrary .php files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where .php file types can be uploaded…

PLUGIN Nextgen Gallery

CVE-2026-1463

HIGH CVSS 8.8 2026-03-18
Open Full Technical Breakdown
Threat Entry Updated 2025-12-18

CVE-2025-13641 - Nextgen Gallery Plugin

The Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 3.59.12 via the 'template' shortcode parameter. This is due to insufficient path validation that allows absolute paths to be provided. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary PHP files on the server, bypassing web server restrictions like .htaccess. Successful exploitation could lead to information disclosure, code execution in the WordPress context, and potential remote…

PLUGIN Nextgen Gallery

CVE-2025-13641

HIGH CVSS 8.8 2025-12-18
Open Full Technical Breakdown
Threat Entry Updated 2025-07-03

CVE-2025-2537 - Nextgen Gallery Plugin

Multiple plugins for WordPress are vulnerable to Stored Cross-Site Scripting via the plugin's bundled ThickBox JavaScript library (version 3.1) in various versions due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Nextgen Gallery

CVE-2025-2537

MEDIUM CVSS 6.4 2025-07-03
Open Full Technical Breakdown
Threat Entry Updated 2025-05-21

CVE-2024-5878 - Nextgen Gallery Plugin

Multiple plugins for WordPress are vulnerable to Stored Cross-Site Scripting via the plugin's bundled SimpleLightbox JavaScript library (version 2.1.5) in various versions due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Nextgen Gallery

CVE-2024-5878

MEDIUM CVSS 6.4 2025-05-20
Open Full Technical Breakdown
Threat Entry Updated 2025-05-15

CVE-2024-10545 - Nextgen Gallery Plugin

The Photo Gallery, Sliders, Proofing and WordPress plugin before 3.59.9 does not sanitise and escape some of its Image settings, which could allow high privilege users such as Admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

PLUGIN Nextgen Gallery

CVE-2024-10545

LOW CVSS 3.5 2025-02-25
Open Full Technical Breakdown
Threat Entry Updated 2025-05-15

CVE-2024-6393 - Nextgen Gallery Plugin

The Photo Gallery, Sliders, Proofing and WordPress plugin before 3.59.5 does not sanitise and escape some of its Images settings, which could allow high privilege users such as Admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

PLUGIN Nextgen Gallery

CVE-2024-6393

MEDIUM CVSS 4.8 2024-11-25
Open Full Technical Breakdown
Threat Entry Updated 2025-05-13

CVE-2024-5442 - Nextgen Gallery Plugin

The Photo Gallery, Sliders, Proofing and WordPress plugin before 3.59.3 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

PLUGIN Nextgen Gallery

CVE-2024-5442

MEDIUM CVSS 5.9 2024-07-13
Open Full Technical Breakdown
Threat Entry Updated 2025-05-21

CVE-2024-2744 - Nextgen Gallery Plugin

The NextGEN Gallery WordPress plugin before 3.59.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed

PLUGIN Nextgen Gallery

CVE-2024-2744

MEDIUM CVSS 4.3 2024-05-17
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-3097 - Nextgen Gallery Plugin

The WordPress Gallery Plugin – NextGEN Gallery plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the get_item function in versions up to, and including, 3.59. This makes it possible for unauthenticated attackers to extract sensitive data including EXIF and other metadata of any image uploaded through the plugin.

PLUGIN Nextgen Gallery

CVE-2024-3097

MEDIUM CVSS 5.3 2024-04-09
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-48328 - Nextgen Gallery Plugin

Cross-Site Request Forgery (CSRF) vulnerability in Imagely WordPress Gallery Plugin – NextGEN Gallery allows Cross Site Request Forgery.This issue affects WordPress Gallery Plugin – NextGEN Gallery: from n/a through 3.37.

PLUGIN Nextgen Gallery

CVE-2023-48328

MEDIUM CVSS 4.3 2023-11-30
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-3154 - Nextgen Gallery Plugin

The WordPress Gallery Plugin WordPress plugin before 3.39 is vulnerable to PHAR Deserialization due to a lack of input parameter validation in the `gallery_edit` function, allowing an attacker to access arbitrary resources on the server.

PLUGIN Nextgen Gallery

CVE-2023-3154

HIGH CVSS 7.5 2023-10-16
Open Full Technical Breakdown
Threat Entry Updated 2025-04-23

CVE-2023-3155 - Nextgen Gallery Plugin

The WordPress Gallery Plugin WordPress plugin before 3.39 is vulnerable to Arbitrary File Read and Delete due to a lack of input parameter validation in the `gallery_edit` function, allowing an attacker to access arbitrary resources on the server.

PLUGIN Nextgen Gallery

CVE-2023-3155

HIGH CVSS 7.2 2023-10-16
Open Full Technical Breakdown
Threat Entry Updated 2025-04-23

CVE-2023-3279 - Nextgen Gallery Plugin

The WordPress Gallery Plugin WordPress plugin before 3.39 does not validate some block attributes before using them to generate paths passed to include function/s, allowing Admin users to perform LFI attacks

PLUGIN Nextgen Gallery

CVE-2023-3279

MEDIUM CVSS 4.9 2023-10-16
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24293 - Nextgen Gallery Plugin

In the eCommerce module of the NextGEN Gallery Pro WordPress plugin before 3.1.11, there is an action to call get_cart_items via photocrati_ajax , after that the settings[shipping_address][name] is able to inject malicious javascript.

PLUGIN Nextgen Gallery

CVE-2021-24293

MEDIUM CVSS 6.1 2021-05-05
Open Full Technical Breakdown
Scroll to top