CVE-2025-13641 is a Local File Inclusion vulnerability classified under CWE-98 that affects the 'Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery' WordPress plugin developed by smub. The vulnerability exists in all plugin versions up to and including 3.59.12 and is triggered via the 'template' shortcode parameter. The root cause is insufficient validation of the input parameter, which allows attackers to specify absolute file paths. Authenticated users with Contributor-level privileges or higher can exploit this flaw to include arbitrary PHP files on the server. This inclusion bypasses web server restrictions such as .htaccess rules, enabling execution of malicious code within the WordPress environment. The impact ranges from information disclosure to code execution. While the vulnerability itself does not allow unauthenticated exploitation, it significantly raises the risk profile for sites where attackers have obtained contributor or higher access. Furthermore, if combined with other vulnerabilities like arbitrary file upload, attackers could achieve remote code execution, leading to full server compromise. The vulnerability has a CVSS 3.1 base score of 8.8, reflecting its high severity with network attack vector, low attack complexity, and no user interaction required. No public patches or known exploits have been reported at the time of publication, but the vulnerability is publicly disclosed and should be addressed promptly.

For European organizations, this vulnerability poses a serious risk to WordPress-based websites using the NextGEN Gallery plugin. Exploitation can lead to unauthorized disclosure of sensitive data stored or processed by the website, including user information and internal configuration files. The ability to execute arbitrary PHP code within the WordPress context can allow attackers to manipulate website content, deface pages, or pivot to deeper network layers. In cases where arbitrary file upload vulnerabilities coexist, attackers could gain full remote code execution, potentially compromising the entire web server and connected infrastructure. This could disrupt business operations, damage reputation, and lead to regulatory non-compliance under GDPR due to data breaches. The requirement for authenticated access somewhat limits the attack surface but does not eliminate risk, as contributor-level accounts are common in collaborative environments. Given the widespread use of WordPress and the popularity of NextGEN Gallery, the vulnerability could affect a broad range of sectors including e-commerce, media, education, and government websites across Europe.

European organizations should immediately audit their WordPress installations to identify the presence and version of the NextGEN Gallery plugin. If the plugin is installed and running a vulnerable version (up to 3.59.12), they should upgrade to the latest patched version as soon as it becomes available. In the absence of an official patch, organizations should consider temporarily disabling or removing the plugin to eliminate the attack vector. Additionally, review and restrict user roles and permissions to minimize the number of users with Contributor-level or higher access. Implement Web Application Firewalls (WAFs) with rules to detect and block attempts to exploit LFI via the 'template' shortcode parameter. Monitor logs for suspicious activity related to file inclusion attempts. Harden the WordPress environment by disabling PHP execution in upload directories and restricting file system permissions to limit the impact of potential exploitation. Regularly back up website data and test restoration procedures to ensure rapid recovery in case of compromise. Finally, educate site administrators and content contributors about the risks of privilege misuse and the importance of applying security updates promptly.