CVE-2016-6565 — PHP Remote File Inclusion in Nextgen Gallery Plugin

CWE-98 — PHP Remote File Inclusion CWE-20 — Improper Input Validation3 documents3 sources

Severity

7.5HIGHNVD

EPSS

1.5%

top 18.74%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Imagely Nextgen Gallery Plugin Imagely Nextgen Gallery

Timeline

PublishedJul 13

Latest updateMay 13

Description

The Imagely NextGen Gallery plugin for Wordpress prior to version 2.1.57 does not properly validate user input in the cssfile parameter of a HTTP POST request, which may allow an authenticated user to read arbitrary files from the server, or execute arbitrary code on the server in some circumstances (dependent on server configuration).

CVSS vector

CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.6 | Impact: 5.9

Affected Packages2 packages

▶CVEListV5imagely/nextgen_gallery_plugin2.1.57 — 2.1.57

▶NVDimagely/nextgen_gallery< 2.1.57

🔴Vulnerability Details

GHSA

GHSA-vhm5-wrvh-3x4h: The Imagely NextGen Gallery plugin for Wordpress prior to version 2↗2022-05-13

▶

CVEList

The Imagely NextGen Gallery plugin for Wordpress prior to version 2.1.57 may execute code from an uploaded malicious file↗2018-07-13

▶