Cyberwar Bulletin: Iran and Albania
Back to all zero days

Multiple Cross Site Scripting (XSS) in NextGen Gallery

Affected Vendor





Aug 31, 2015

High Severity


Multiple XSS vulnerabilities was identified on the WordPress NextGen Gallery plugin before 2.1.10, involving thumbnail_width, thumbnail_height, thumbwidth, thumbheight, wmXpos, and wmYpos, and template. 

Proof of concept: (POC)

Visit the following page on a site with the plugin installed. and modify the value of path variable in NextGEN Gallery Photocrati Version 2.1.10 with’></script><script>alert(document.cookie);</script> payload and save it to view further. Now, the added XSS payload is executed whenever the user reviews it.

Note: XSS payload has been tried with the application once after implementing Unfiltered Html Settings as defined to the wp-config.php file

Figure 01: HTTP Request & response for the vulnerable variable photocrati-nextgen_basic_thumbnails[thumbnail_width]

Figure 02: HTTP Request & response for the vulnerable variable thumbnail_settings[thumbwidth]

Figure 03: XSS response executed in the browser



An attacker can inject malicious code into the scope of vulnerable variables to a managed gallery page by providing XSS payload as a value.


Download the latest updated version of the Nextgen plugin and apply the patch as per vendor advisory.


Aug 31, 2015: Discovered in NextGen Gallery 2.1.7 version. 

Aug 31, 2015: Reported to WP Plugin.

Sep 01, 2015: Fixed in 2.1.10 version of NextGen Gallery. 

Discovered by

Cyber Security Works Pvt. Ltd.

  • Affected VendorNextGen
  • Bug NameMultiple Cross Site Scripting (XSS)
  • CVE NumberCVE-2015-9537
  • CWE IDCWE - 79
  • CSW ID2015-CSW-08-1002
  • CVSSv3 Score5.4
  • Affected Version2.1.7
  • SeverityHigh
  • Affected ProductNextGen Gallery
fb icon twitter icon insta icon

Talk to CSW's team of experts to secure your landscape.