CVE-2025-13641 is a Local File Inclusion vulnerability categorized under CWE-98, affecting the NextGEN Gallery WordPress plugin, specifically versions up to and including 3.59.12. The vulnerability stems from insufficient validation of the 'template' shortcode parameter, which accepts absolute file paths without proper sanitization or restriction. Authenticated users with Contributor-level permissions or higher can exploit this flaw by supplying crafted input to the 'template' parameter, causing the plugin to include and execute arbitrary PHP files on the server. This inclusion bypasses typical web server restrictions such as .htaccess rules, enabling attackers to execute code within the WordPress environment. While the vulnerability itself is LFI, it can lead to remote code execution if combined with other vulnerabilities, such as arbitrary file upload flaws. The CVSS v3.1 score is 8.8 (high), reflecting the network attack vector, low attack complexity, required privileges (low), no user interaction, and high impact on confidentiality, integrity, and availability. Although no known exploits are currently reported in the wild, the vulnerability poses a significant risk due to the widespread use of NextGEN Gallery in WordPress sites and the potential for privilege escalation and full system compromise.

The impact of CVE-2025-13641 is substantial for organizations using the NextGEN Gallery plugin. Successful exploitation allows attackers with relatively low privileges (Contributor-level) to execute arbitrary PHP code, potentially leading to full site compromise, data theft, defacement, or pivoting to other parts of the network. Confidentiality is at risk due to possible information disclosure via included files. Integrity and availability can be severely affected through code execution, enabling attackers to modify site content, inject malicious payloads, or disrupt service. The ability to bypass .htaccess restrictions increases the attack surface and complicates mitigation. Organizations relying on WordPress for critical business functions or hosting sensitive data are particularly vulnerable. The widespread deployment of WordPress and popularity of NextGEN Gallery amplify the potential scale of impact globally.

To mitigate CVE-2025-13641, organizations should immediately update the NextGEN Gallery plugin to a version where this vulnerability is patched once available. Until a patch is released, restrict Contributor-level and higher permissions to trusted users only, minimizing the risk of exploitation. Implement Web Application Firewall (WAF) rules to detect and block attempts to exploit the 'template' shortcode parameter with suspicious absolute paths. Harden WordPress installations by disabling PHP execution in upload directories and restricting file inclusion paths via server configuration where possible. Conduct regular audits of user privileges and monitor logs for unusual shortcode usage patterns. Additionally, consider employing security plugins that can detect anomalous file inclusions or code execution attempts. Educate site administrators about the risks of granting Contributor or higher roles without strict controls. Finally, maintain regular backups to enable recovery in case of compromise.