The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1

WordPress NextGEN Gallery Plugin swfupload Cross-Site Scripting Vulnerability

Secunia ID


Release Date

14 Nov 2012

Last Change

07 Dec 2012


Less Critical

Solution Status

Vendor Patch


WordPress NextGEN Gallery Plugin 1.x


From remote

Cross-Site Scripting

Cross-Site Scripting vulnerabilities allow a third party to manipulate the content or behaviour of a web application in a user's browser, without compromising the underlying system.

Different Cross-Site Scripting related vulnerabilities are also classified under this category, including "script insertion" and "cross-site request forgery".

Cross-Site Scripting vulnerabilities are often used against specific users of a website to steal their credentials or to conduct spoofing attacks.


A vulnerability has been discovered in the NextGEN Gallery plugin for WordPress, which can be exploited by malicious people to conduct cross-site scripting attacks.

The vulnerability is caused due to a bundled vulnerable version of swfupload.

For more information:

The vulnerability is confirmed in version 1.9.7. Other versions may also be affected.


Update to version 1.9.8.

Reported by

Reported by the vendor.

Original Advisory