WWordPress Vulnerability Database

Hong Kong Security Alert XSS NextGEN Gallery(CVE20252537)

Cross Site Scripting (XSS) in WordPress NextGEN Gallery Plugin
0
Shares
0
0
0
0






NextGEN Gallery (<= 3.59.11) DOM-based Stored XSS (CVE-2025-2537) — What it Means and How to Protect Your WordPress Site


NextGEN Gallery (<= 3.59.11) DOM-based Stored XSS (CVE-2025-2537) — What it Means and How to Protect Your WordPress Site

Author: Hong Kong Security Expert  |  Date: 2026-01-30  |  Tags: WordPress Security, NextGEN Gallery, XSS, Incident Response
Plugin Name NextGEN Gallery
Type of Vulnerability Cross-Site Scripting (XSS)
CVE Number CVE-2025-2537
Urgency Low
CVE Publish Date 2026-01-30
Source URL CVE-2025-2537

TL;DR

On 30 January 2026 a DOM-based stored Cross‑Site Scripting (XSS) issue affecting NextGEN Gallery versions <= 3.59.11 (CVE‑2025‑2537) was disclosed by researcher Webbernaut and fixed in 3.59.12. A malicious contributor account can persist payloads in gallery metadata that are later interpreted unsafely by client-side ThickBox code, leading to script execution in visitors’ browsers — including editors or administrators who interact with gallery items. The CVSS is 6.5. Exploitation requires an authenticated contributor account and user interaction, but real risk exists for multi-author, membership, and community sites that accept uploads from untrusted users.

If you run NextGEN Gallery, update to 3.59.12 immediately. If you cannot update right away, apply the mitigations described below (hardening, virtual patching via your WAF, detection and incident response) to reduce risk.

Why this matters (in plain English)

NextGEN Gallery is widely used. The issue arises because contributor-supplied metadata is stored and later used as input to the ThickBox lightbox script. ThickBox processes content in ways that can execute dynamic HTML/JS if that content is not properly escaped. An attacker with Contributor privileges can inject persistent payloads into gallery fields; when a higher‑privileged user or any visitor triggers the vulnerable display, the payload executes in their browser.

Consequences: session theft, account takeover, persistent spam or redirection, client‑side malware, or abuse of admin sessions to change site content. On collaborative Hong Kong sites or regional community portals where contributors are common, this is a realistic threat.

Technical summary

  • Vulnerability type: Stored DOM‑based Cross‑Site Scripting (XSS)
  • Affected software: NextGEN Gallery plugin for WordPress
  • Affected versions: <= 3.59.11
  • Fixed in: 3.59.12
  • CVE: CVE‑2025‑2537
  • Required privilege: Contributor (authenticated)
  • CVSS (informational): 6.5 (User Interaction required)

How it works (conceptually)

  • A Contributor can add/edit gallery metadata (title, description, link fields).
  • The plugin stores that metadata in the database.
  • When the gallery is rendered, plugin or ThickBox code constructs DOM fragments or attributes using stored data without sufficient context-aware escaping.
  • When a visitor or admin interacts with the gallery UI, ThickBox processes the fragments and the browser may execute attacker-supplied HTML/JS — making this a persistent, DOM-based stored XSS.

Note: DOM-based XSS commonly involves APIs such as innerHTML, document.write, or constructing HTML strings with event handlers. The 3.59.12 fix addresses unsafe client-side usage and/or sanitizes values before injection.

Realistic attack scenarios

  1. Small editorial site with Contributors
    A contributor uploads images and sets a crafted gallery caption. An editor or admin later views or previews the gallery; the injected script executes and steals session cookies or uses the admin’s session to make changes.
  2. Membership or community site
    Attackers create galleries with persistent scripts targeted at logged‑in members. When members view galleries, browsers execute payloads that steal credentials or perform unwanted actions.
  3. Public submissions
    Sites accepting external submissions are attractive targets: contributors upload media and craft metadata to persist payloads that fire when visitors open lightboxes.

Even with “only Contributor” required, this becomes a higher risk when privileged users interact with content — a common pattern on collaborative platforms.

Immediate actions for site owners (prioritized)

  1. Update NextGEN Gallery to version 3.59.12 (or later) — do this now if you can. This is the most important step.
  2. If you cannot update immediately:
    • Temporarily deactivate NextGEN Gallery.
    • Or disable ThickBox features if the plugin offers that configuration.
  3. Limit contributor capabilities:
    • Prevent contributors from uploading files until patched.
    • Restrict who can create or edit galleries.
    • Temporarily revoke Contributor role from untrusted users.
  4. Apply virtual patches via your Web Application Firewall (WAF) where possible — see the WAF guidance below.
  5. Scan your database for injected scripts and clean any malicious entries (see detection section).
  6. Force password resets for higher‑privileged accounts if you find confirmed exploitation.

How a WAF can mitigate this immediately

A WAF (Web Application Firewall) can provide virtual patching while you update. Use generic, well-tested rules and test in monitoring mode before blocking to avoid false positives.

Suggested rule behaviours (conceptual)

  • Block POST/PUT requests to gallery save endpoints that contain suspicious content patterns such as