CVE-2026-1463 is a Local File Inclusion vulnerability identified in the NextGEN Gallery plugin for WordPress, specifically affecting all versions up to and including 4.0.3. The vulnerability arises from improper control of the filename used in the PHP include/require statement, classified under CWE-98. The flaw is triggered via the 'template' parameter in gallery shortcodes, which does not properly validate or sanitize input. Authenticated attackers with Author-level access or higher can exploit this to include arbitrary PHP files from the server. If an attacker can upload PHP files (e.g., via other plugin vulnerabilities or upload features), they can execute arbitrary code remotely, leading to full server compromise. The vulnerability does not require user interaction beyond authentication and has a low attack complexity. The CVSS 3.1 score is 8.8 (high), reflecting the network attack vector, low complexity, privileges required, no user interaction, and high impact on confidentiality, integrity, and availability. No official patches have been linked yet, and no known exploits are reported in the wild, but the risk is substantial given the plugin's widespread use in WordPress sites.

The impact of this vulnerability is severe for organizations using the NextGEN Gallery plugin. Exploitation can lead to remote code execution on the web server, allowing attackers to bypass access controls, steal sensitive data, modify website content, or deploy malware. This can result in website defacement, data breaches, loss of customer trust, and potential lateral movement within the hosting environment. Given WordPress's popularity and the widespread use of NextGEN Gallery for photo galleries, many websites globally are at risk. Attackers with Author-level access, which is a relatively low privilege level in WordPress, can leverage this flaw, increasing the attack surface. The vulnerability could also be chained with other vulnerabilities (e.g., file upload flaws) to escalate privileges and fully compromise affected systems.

Organizations should immediately upgrade the NextGEN Gallery plugin to a version that addresses this vulnerability once available. Until a patch is released, administrators should restrict Author-level user capabilities to trusted users only and consider temporarily disabling or removing the plugin if feasible. Implementing Web Application Firewall (WAF) rules to detect and block suspicious requests targeting the 'template' parameter can reduce exploitation risk. Additionally, hardening file upload mechanisms to prevent uploading executable PHP files and restricting PHP execution in upload directories can mitigate the impact. Regularly auditing user roles and permissions to minimize unnecessary Author or higher privileges is critical. Monitoring logs for unusual access patterns related to gallery shortcodes or file inclusions is recommended to detect potential exploitation attempts early.