Plugin inspection:

NextGEN Gallery

Potentially unsafe

Last revised:

Confidence: Medium
This plugin has been given a short, targeted code review.

Before using this plugin, you should very carefully consider its potential problems and should conduct a thorough assessment. Read more about this recommendation.


This recommendation applies to version of this plugin, but the most recent version is 3.59.4. These findings may no longer be correct.


  • At over 34,000 lines of PHP this is a very large plugin, which makes it difficult to thoroughly assess
  • SQL is not consistently escaped (i.e. non_pope/class.photocrati_cache.php line 156, products/photocrati_nextgen/modules/datamapper/module.datamapper.php line 167, products/photocrati_nextgen/modules/nextgen_gallery_display/class.displayed_gallery.php line 787)
  • The ngg_init_check option is inserted into create_function() meaning a user able to modify the wp-options table could potentially perform arbitrary code execution. This option is deprecated and cannot be set through the admin interface, but could potentially be set by exploiting an SQL injection. Due to the size of the codebase it has not been possible to verify whether a compatible SQL injection exists in the code of this plugin.
  • Uses eval() on something other than a string literal (pope/lib/class.extensibleobject.php line 879)

Reason for the 'Potentially unsafe' result

The plugin contains or is likely to contain a vulnerability which could be exploited by an end user and which would compromise the site’s confidentiality, integrity or availability:

  • May contain SQL injection vulnerabilities
  • In conjunction with an SQL injection it might contain an arbitrary code execution vulnerability. Such an exploit would most likely be accessible only to admin users.

Failure criteria

  • Execution of unprepared SQL statements
  • Unsafe generation of PHP code
  • Very large codebase

Read more about our failure criteria.