vulnerability
WordPress Plugin: nextgen-gallery: CVE-2016-6565: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 6 | (AV:N/AC:M/Au:S/C:P/I:P/A:P) | Nov 15, 2016 | May 15, 2025 | May 4, 2026 |
Severity
6
CVSS
(AV:N/AC:M/Au:S/C:P/I:P/A:P)
Published
Nov 15, 2016
Added
May 15, 2025
Modified
May 4, 2026
Description
The Imagely NextGen Gallery plugin for Wordpress prior to version 2.1.57 does not properly validate user input in the cssfile parameter of a HTTP POST request, which may allow an authenticated user to read arbitrary files from the server, or execute arbitrary code on the server in some circumstances (dependent on server configuration).
Solution
nextgen-gallery-plugin-cve-2016-6565
References
- https://www.cve.org/CVERecord?id=CVE-2016-6565
- https://www.wordfence.com/threat-intel/vulnerabilities/id/f0de8ff3-ac03-4640-829d-66a8496aa8aa?source=api-prod
- https://euvd.enisa.europa.eu/vulnerability/EUVD-2016-7486
- CVE-2016-6565
- https://attackerkb.com/topics/CVE-2016-6565
- CWE-98
- CWE-20
- EUVD-EUVD-2016-7486
Rapid7 Labs
2026 Global Threat Landscape Report
The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.