WP Clinic
Log in Sign up

PLUGIN SECURITY

Is Nextgen Gallery safe?

Known vulnerabilities, PHP compatibility and safer alternatives for the Nextgen Gallery WordPress plugin — checked against WP Clinic's local security database.

Plugin details

  • Slug: nextgen-gallery
  • Requires PHP: 7.0+
  • Max supported PHP (analyzed): 8.4

Known vulnerabilities

  • Photo Gallery, Sliders, Proofing and Themes &#8211; NextGEN Gallery [nextgen-gallery] < 3.5.0 [CVE-2020-35942, WordPress NextGen Gallery plugin <= 3.4.7 - Cross-Site Request Forgery (CSRF) leading to XSS and RCE via file upload and LFI, WordPress Gallery Plugin – NextGEN Gallery <= 3.4.7 - Cross-Site Request Forgery, NextGen Gallery &lt; 3.5.0 - CSRF allows File Upload, Stored XSS, and RCE]
  • Photo Gallery, Sliders, Proofing and Themes &#8211; NextGEN Gallery [nextgen-gallery] < 3.5.0 [CVE-2020-35943, WordPress NextGen Gallery plugin <= 3.4.7 - Cross-Site Request Forgery (CSRF) vulnerability leading to file upload, WordPress Gallery Plugin – NextGEN Gallery <= 3.4.7 - Cross-Site Request Forgery to Arbitrary File Upload, NextGen Gallery &lt; 3.5.0 - CSRF allows File Upload]
  • Photo Gallery, Sliders, Proofing and Themes &#8211; NextGEN Gallery [nextgen-gallery] >= 1.9.10 - <= 1.9.11 [CVE-2013-0291, WordPress NextGEN Gallery Plugin - Path Disclosure Vulnerability, WordPress Gallery Plugin – NextGEN Gallery 1.9.10 - 1.9.11 - Full Path Disclosure, NextGEN Gallery 1.9.11 - Full Path Disclosure]
  • Photo Gallery, Sliders, Proofing and Themes &#8211; NextGEN Gallery [nextgen-gallery] < 1.9.13 [CVE-2013-3684, WordPress NextGEN Gallery - Arbitrary File Upload, WordPress Gallery Plugin – NextGEN Gallery <= 1.9.12 - Arbitrary File Upload, NextGEN Gallery 1.9.12 - Arbitrary File Upload]
  • Photo Gallery, Sliders, Proofing and Themes &#8211; NextGEN Gallery [nextgen-gallery] < 2.1.15 [CVE-2015-9538, NextGen Gallery <= 2.1.10 - Local File Inclusion, NextGen Gallery &lt; 2.1.15 - Path Traversal]
+ 61 more known vulnerabilities
  • Photo Gallery, Sliders, Proofing and Themes &#8211; NextGEN Gallery [nextgen-gallery] < 2.1.10 [CVE-2015-9537, NextGen Gallery <= 2.1.9 - Cross-Site Scripting, NextGEN Gallery &lt; 2.1.10 - Multiple XSS]
  • Photo Gallery, Sliders, Proofing and Themes &#8211; NextGEN Gallery [nextgen-gallery] < 3.2.11 [CVE-2019-14314, WordPress Nextgen Gallery plugin <= 3.2.8 - SQL Injection vulnerability, NextGEN Gallery <= 3.2.10 - SQL Injection, Nextgen Gallery &lt; 3.2.11 - SQL Injection]
  • Photo Gallery, Sliders, Proofing and Themes &#8211; NextGEN Gallery [nextgen-gallery] < 2.1.57 [CVE-2016-10889, NextGEN Gallery <= 2.1.56 - Authenticated Local File Inclusion & SQL injection, NextGEN Gallery &lt;= 2.1.56 - Authenticated Local File Inclusion (LFI) &amp; SQLi]
  • Photo Gallery, Sliders, Proofing and Themes &#8211; NextGEN Gallery [nextgen-gallery] < 2.1.57 [CVE-2016-6565, NextGen Gallery <= 2.1.56 - Remote File Inclusion, EUVD-2016-7486]
  • Photo Gallery, Sliders, Proofing and Themes &#8211; NextGEN Gallery [nextgen-gallery] < 2.2.45 [CVE-2018-1000172, NextGEN Gallery <= 2.2.44 - Cross-Site Scripting via image alt and title text, NextGEN Gallery &lt;= 2.2.44 - Cross-Site Scripting (XSS)]
  • Photo Gallery, Sliders, Proofing and Themes &#8211; NextGEN Gallery [nextgen-gallery] < 2.2.50 [CVE-2018-7586, WordPress NextGEN Gallery plugin <=2.2.46 - Gallery Paths Not Secured, WordPress Gallery Plugin – NextGEN Gallery <= 2.2.46 - Sensitive Information Disclosure, NextGEN Gallery &lt;= 2.2.46 - Galley Paths Not Secured]
  • Photo Gallery, Sliders, Proofing and Themes &#8211; NextGEN Gallery [nextgen-gallery] < 2.1.15 [CVE-2015-9228, NextGen Gallery <= 2.1.10 - Unrestricted File Upload, NextGEN Gallery &lt; 2.1.15 - Unrestricted File Upload]
  • Photo Gallery, Sliders, Proofing and Themes &#8211; NextGEN Gallery [nextgen-gallery] < 2.1.23 [CVE-2015-9229, WordPress Gallery Plugin – NextGEN Gallery <= 2.1.15 - Authenticated (Admin+) Cross-Site Scripting]
  • Photo Gallery, Sliders, Proofing and Themes &#8211; NextGEN Gallery [nextgen-gallery] < 1.5.2 [CVE-2010-1186, WordPress NextGEN Gallery Plugin <= 1.5.1 - XSS Vulnerability, WordPress Gallery Plugin – NextGEN Gallery <= 1.5.1 - Cross-Site Scripting, NextGEN Gallery &lt;= 1.5.1 - Cross-Site Scripting (XSS)]
  • Photo Gallery, Sliders, Proofing and Themes &#8211; NextGEN Gallery [nextgen-gallery] <= 0.96 [CVE-2008-7175, WordPress NextGEN Gallery Plugin <= 0.96 - XSS, NextGEN Gallery Plugin <= 1.9.0 - Authenticated (Admin+) Stored Cross-Site Scripting]
  • Photo Gallery, Sliders, Proofing and Themes &#8211; NextGEN Gallery [nextgen-gallery] < 3.1.7 [WordPress NextGEN Gallery plugin <= 3.1.6 - Authenticated Option Update vulnerability (Fremius Library security issue)]
  • Photo Gallery, Sliders, Proofing and Themes &#8211; NextGEN Gallery [nextgen-gallery] < 2.1.60 [WordPress NextGEN Gallery plugin <= 2.1.59 - Authenticated Remote Code Execution (RCE) Vulnerability]
  • Photo Gallery, Sliders, Proofing and Themes &#8211; NextGEN Gallery [nextgen-gallery] < 2.1.9 [WordPress NextGEN Gallery Plugin <= 2.1.7 - Authenticated Path Traversal]
  • Photo Gallery, Sliders, Proofing and Themes &#8211; NextGEN Gallery [nextgen-gallery] < 2.0.66 [WordPress NextGEN Gallery Plugin <= 2.0.63 - Arbitrary File Upload]
  • Photo Gallery, Sliders, Proofing and Themes &#8211; NextGEN Gallery [nextgen-gallery] < 2.0.7 [WordPress NextGEN Gallery Plugin <= 2.0.0 - Directory Traversal]
  • Photo Gallery, Sliders, Proofing and Themes &#8211; NextGEN Gallery [nextgen-gallery] < 1.9.8 [WordPress NextGEN Gallery Plugin <= 1.9.7 - Cross Site Scripting]
  • Photo Gallery, Sliders, Proofing and Themes &#8211; NextGEN Gallery [nextgen-gallery] < 2.0.0 [WordPress NextGEN Gallery Plugin <= 1.9.11 - Full Path Disclosure]
  • Photo Gallery, Sliders, Proofing and Themes &#8211; NextGEN Gallery [nextgen-gallery] < 2.0.0 [WordPress NextGEN Gallery Plugin <= 1.9.5 - Stored XSS]
  • Photo Gallery, Sliders, Proofing and Themes &#8211; NextGEN Gallery [nextgen-gallery] < 1.9.1 [WordPress NextGEN Gallery Plugin <= 1.9.0 - Multiple XSS]
  • Photo Gallery, Sliders, Proofing and Themes &#8211; NextGEN Gallery [nextgen-gallery] < 1.8.4 [WordPress NextGEN Gallery Plugin <= 1.8.3 - Multiple Vulnerabilities]
  • Photo Gallery, Sliders, Proofing and Themes &#8211; NextGEN Gallery [nextgen-gallery] < 1.7.4 [WordPress NextGEN Gallery Plugin <= 1.7.3 - Full Path Disclosure]
  • Photo Gallery, Sliders, Proofing and Themes &#8211; NextGEN Gallery [nextgen-gallery] < 1.9.11 [WordPress NextGEN Gallery Plugin - Cross Site Scripting]
  • Photo Gallery, Sliders, Proofing and Themes &#8211; NextGEN Gallery [nextgen-gallery] < 2.0.1 [WordPress NextGEN Gallery Plugin - Directory Traversal]
  • Photo Gallery, Sliders, Proofing and Themes &#8211; NextGEN Gallery [nextgen-gallery] < 2.0.77.3 [CVE-2015-1784, WordPress Gallery Plugin – NextGEN Gallery < 2.0.77.3 - Cross-Site Request Forgery]
  • Photo Gallery, Sliders, Proofing and Themes &#8211; NextGEN Gallery [nextgen-gallery] < 2.0.77.3 [CVE-2015-1785, WordPress Gallery Plugin – NextGEN Gallery < 2.0.77.3 - Arbitrary File Upload, NextGEN Gallery &lt; 2.0.77.3 - CSRF &amp; Arbitrary File Upload]
  • Photo Gallery, Sliders, Proofing and Themes &#8211; NextGEN Gallery [nextgen-gallery] < 3.1.7 [Freemius Library &lt; 2.2.4 - Subscriber+ Arbitrary Option Update]
  • Photo Gallery, Sliders, Proofing and Themes &#8211; NextGEN Gallery [nextgen-gallery] < 3.1.7 [Freemius SDK <= 2.2.3 - Missing Authorization to Arbitrary Options Update]
  • Photo Gallery, Sliders, Proofing and Themes &#8211; NextGEN Gallery [nextgen-gallery] < 3.1.6 [NextGen Gallery <= 3.1.5 - PHP Object Injection]
  • Photo Gallery, Sliders, Proofing and Themes &#8211; NextGEN Gallery [nextgen-gallery] < 2.1.79 [NextGen Gallery <= 2.1.77 - SQL Injection]
  • Photo Gallery, Sliders, Proofing and Themes &#8211; NextGEN Gallery [nextgen-gallery] < 2.1.9 [NextGen Gallery <= 2.1.7 - Path Traversal]
  • Photo Gallery, Sliders, Proofing and Themes &#8211; NextGEN Gallery [nextgen-gallery] < 2.0.66 [NextGen Gallery <= 2.0.65 - Arbitrary File Upload]
  • Photo Gallery, Sliders, Proofing and Themes &#8211; NextGEN Gallery [nextgen-gallery] < 2.0.7 [NextGen Gallery <= 2.0 - Path Traversal]
  • Photo Gallery, Sliders, Proofing and Themes &#8211; NextGEN Gallery [nextgen-gallery] < 1.9.7 [CVE-2012-3414, SWFUpload <= 2.2.0.1 - Cross-Site Scripting, NextGen Gallery <= 1.9.7 - Cross-Site Scripting]
  • Photo Gallery, Sliders, Proofing and Themes &#8211; NextGEN Gallery [nextgen-gallery] < 3.29 [CVE-2022-38468, WordPress NextGEN Gallery Plugin <= 3.28 is vulnerable to Cross Site Request Forgery (CSRF), NextGEN Gallery <= 3.28 - Cross-Site Request Forgery leading to Post Thumbnail Change, NextGEN Gallery &lt; 3.29 - Thumbnail Deletion via CSRF]
  • Photo Gallery, Sliders, Proofing and Themes &#8211; NextGEN Gallery [nextgen-gallery] < 3.4.7 [CVE-2023-33999, WordPress NextGEN Gallery Plugin <= 3.3.6 is vulnerable to Cross Site Scripting (XSS), Freemius SDK &lt; 2.5.10 - Reflected Cross-Site Scripting]
  • Photo Gallery, Sliders, Proofing and Themes &#8211; NextGEN Gallery [nextgen-gallery] < 3.1.6 [NextGen Gallery &lt;= 3.1.5 - Authenticated PHP Object Injection]
  • Photo Gallery, Sliders, Proofing and Themes &#8211; NextGEN Gallery [nextgen-gallery] < 2.1.79 [NextGEN Gallery &lt; 2.1.79 - Unauthenticated SQL Injection]
  • Photo Gallery, Sliders, Proofing and Themes &#8211; NextGEN Gallery [nextgen-gallery] < 2.1.9 [NextGEN Gallery &lt; 2.1.9 - Authenticated Path Traversal]
  • Photo Gallery, Sliders, Proofing and Themes &#8211; NextGEN Gallery [nextgen-gallery] < 2.0.0 [NextGEN Gallery 1.9.5 - gallerypath Parameter Stored XSS]
  • Photo Gallery, Sliders, Proofing and Themes &#8211; NextGEN Gallery [nextgen-gallery] < 1.7.4 [NextGEN Gallery &lt;= 1.7.3 - xml/ajax.php Path Disclosure]
  • Photo Gallery, Sliders, Proofing and Themes &#8211; NextGEN Gallery [nextgen-gallery] < 1.9.8 [NextGEN Gallery - swfupload.swf Cross-Site Scripting (XSS)]
  • Photo Gallery, Sliders, Proofing and Themes &#8211; NextGEN Gallery [nextgen-gallery] < 1.8.4 [NextGEN Gallery &lt;= 1.8.3 - XXS &amp; CSRF]
  • Photo Gallery, Sliders, Proofing and Themes &#8211; NextGEN Gallery [nextgen-gallery] < 1.9.1 [NextGEN Gallery &lt;= 1.9.0 - Multiple Cross-Site Scripting (XSS)]
  • Photo Gallery, Sliders, Proofing and Themes &#8211; NextGEN Gallery [nextgen-gallery] < 2.0.7 [NextGEN Gallery 2.0.0 - Directory Traversal]
  • Photo Gallery, Sliders, Proofing and Themes &#8211; NextGEN Gallery [nextgen-gallery] < 2.0.66 [NextGEN Gallery &lt;= 2.0.63 - Arbitrary File Upload]
  • Photo Gallery, Sliders, Proofing and Themes &#8211; NextGEN Gallery [nextgen-gallery] < 3.39 [CVE-2023-3155, NextGEN Gallery <= 3.37 - Authenticated (Admininistrator+) Arbitrary File Read and Deletion in gallery_edit, WordPress NextGEN Gallery Plugin < 3.39 is vulnerable to Arbitrary File Deletion, NextGEN Gallery &lt; 3.39 - Admin+ Arbitrary File Read and Delete]
  • Photo Gallery, Sliders, Proofing and Themes &#8211; NextGEN Gallery [nextgen-gallery] < 3.39 [CVE-2023-3154, WordPress Gallery Plugin – NextGEN Gallery <= 3.38 - Authenticated (Admin+) PHAR Deserialization, WordPress NextGEN Gallery Plugin <= 3.39 is vulnerable to PHP Object Injection, NextGEN Gallery &lt; 3.39 - Admin+ PHAR Deserialization]
  • Photo Gallery, Sliders, Proofing and Themes &#8211; NextGEN Gallery [nextgen-gallery] < 3.39 [CVE-2023-3279, WordPress Gallery Plugin – NextGEN Gallery <= 3.38 - Authenticated (Admin+) Local File Inclusion, WordPress NextGEN Gallery Plugin < 3.39 is vulnerable to Local File Inclusion, NextGEN Gallery &lt; 3.39 - Admin+ Local File Inclusion]
  • Photo Gallery, Sliders, Proofing and Themes &#8211; NextGEN Gallery [nextgen-gallery] < 3.39 [CVE-2023-48328, WordPress NextGEN Gallery Plugin <= 3.37 is vulnerable to Cross Site Request Forgery (CSRF), NextGEN Gallery <= 3.37 - Cross-Site Request Forgery]
  • Photo Gallery, Sliders, Proofing and Themes &#8211; NextGEN Gallery [nextgen-gallery] < 3.59.1 [CVE-2024-3097, WordPress Gallery Plugin – NextGEN Gallery <= 3.59 - Missing Authorization to Unauthenticated Information Disclosure, WordPress NextGEN Gallery Plugin <= 3.59 is vulnerable to Broken Access Control]
  • Photo Gallery, Sliders, Proofing and Themes &#8211; NextGEN Gallery [nextgen-gallery] < 3.59.1 [CVE-2024-2744, Nextgen Gallery <= 3.59 - Authenticated (Administrator+) Stored Cross-Site Scripting, WordPress NextGEN Gallery Plugin < 3.59.1 is vulnerable to Cross Site Scripting (XSS)]
  • Photo Gallery, Sliders, Proofing and Themes &#8211; NextGEN Gallery [nextgen-gallery] < 3.59.3 [CVE-2024-5442, WordPress NextGEN Gallery Plugin < 3.59.3 is vulnerable to Cross Site Scripting (XSS), Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery <= 3.59.2 - Authenticated (Admin+) Stored Cross-Site Scripting via Gallery]
  • Photo Gallery, Sliders, Proofing and Themes &#8211; NextGEN Gallery [nextgen-gallery] < 3.59.4 [CVE-2024-39627, WordPress NextGEN Gallery Plugin <= 3.59.3 is vulnerable to Cross Site Scripting (XSS), NextGEN Gallery <= 3.59.3 - Authenticated (Administrator+) Stored Cross-Site Scripting]
  • Photo Gallery, Sliders, Proofing and Themes &#8211; NextGEN Gallery [nextgen-gallery] < 3.59.5 [CVE-2024-6393, NextGEN Gallery <= 3.39.4 - Authenticated (Administrator+) Stored Cross-Site Scripting, WordPress NextGEN Gallery Plugin < 3.59.5 is vulnerable to Cross Site Scripting (XSS)]
  • Photo Gallery, Sliders, Proofing and Themes &#8211; NextGEN Gallery [nextgen-gallery] < 3.59.5 [Multiple Plugins <= (Various Versions) - Authenticated (Contributor+) Stored DOM-Based Cross-Site Scripting via FancyBox JavaScript Library, Multiple Plugins <= (Various Versions) - Authenticated (Contributor+) Stored DOM-Based Cross-Site Scripting via FancyBox JavaScript Library, WordPress NextGEN Gallery Plugin <= 3.59.4 is vulnerable to Cross Site Scripting (XSS)]
  • Photo Gallery, Sliders, Proofing and Themes &#8211; NextGEN Gallery [nextgen-gallery] < 3.59.9 [CVE-2024-10545, Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery <= 3.59.8 - Authenticated (Admin+) Stored Cross-Site Scripting, EUVD-2025-4250]
  • Photo Gallery, Sliders, Proofing and Themes &#8211; NextGEN Gallery [nextgen-gallery] < 3.59.5 [Multiple Plugins <= (Various Versions) - Authenticated (Contributor+) Stored DOM-Based Cross-Site Scripting via SimpleLightbox JavaScript Library, Multiple Plugins <= (Various Versions) - Authenticated (Contributor+) Stored DOM-Based Cross-Site Scripting via SimpleLightbox JavaScript Library, EUVD-2024-54556]
  • Photo Gallery, Sliders, Proofing and Themes &#8211; NextGEN Gallery [nextgen-gallery] < 3.59.12 [Multiple Plugins <= (Various Versions) - Authenticated (Contributor+) Stored DOM-Based Cross-Site Scripting via ThickBox JavaScript Library, EUVD-2025-19861]
  • Photo Gallery, Sliders, Proofing and Themes &#8211; NextGEN Gallery [nextgen-gallery] < 4.0.0 [CVE-2025-13641, Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery <= 3.59.12 - Authenticated (Contributor+) Local File Inclusion via 'template']
  • Photo Gallery, Sliders, Proofing and Themes &#8211; NextGEN Gallery [nextgen-gallery] < 4.0.5 [CVE-2026-1463, Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery <= 4.0.4 - Authenticated (Author+) Local File Inclusion]
  • Photo Gallery, Sliders, Proofing and Themes &#8211; NextGEN Gallery [nextgen-gallery] < 4.2.1 [CVE-2026-6566, Photo Gallery, Sliders, Proofing and Themes <= 4.2.0 - Insecure Direct Object Reference to Authenticated (Subscriber+) Image Deletion via REST API, EUVD-2026-31063]

Vulnerabilities are matched against the exact installed version when it's known. Always keep the plugin updated to the latest release.

Safer / more established alternatives

Check your own WordPress site

Run a free passive scan now, or create a free account and install the WP Clinic plugin for a deep scan of your whole hosting account and AI-assisted repair.