SecurinZero Days
    Email Us
    Zero-Day Research/CVE-2015-9229
    ▲ MediumCVSS 4.8✓ PatchedEPSS 0.00202%

    Reflected Cross-Site Scripting in NextGEN Gallery

    In the nggallery-manage-gallery page in the Photocrati NextGEN Gallery plugin 2.1.15 for WordPress, XSS is possible for remote authenticated administrators via the images[1][alttext] parameter.

    CVE IDCVE-2015-9229
    CVSS v3.14.8 Medium
    VendorImagely
    CWECWE-79
    DisclosedFeb 17, 2015
    StatusFixed
    All advisories
    • 01Description
    • 02Proof of Concept
    • 03Impact
    • 04Remediation
    • 05Timeline
    • 06References
    01/Description

    What this actually is.

    Technical background, root cause, and affected surface.

    Multiple Cross-Site Scripting (XSS) vulnerability was identified on the WordPress plugin Gravity Forms before 2.1.15 in the nggallery-manage-gallery page.

    Vendor
    Imagely
    Affected Product
    NextGEN Gallery
    CVE
    CVE-2015-9229
    Securin ID
    2015-CSW-09-1004
    Status
    Fixed
    Date
    February 17, 2015
    Severity
    Medium
    CVSS Score
    4.8
    Vector
    CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
    CWE
    CWE-79
    02/Proof of Concept

    From one request
    to root shell.

    Reproduced in a sandboxed environment. Requires only LAN or WiFi adjacency.

    4.8CVSS 3.1
    VectorCVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
    ScopeChanged
    ImpactC:L / I:L / A:N
    SeverityMedium
    PoC · Exploitation Steps▲ trigger
    01Visit the following page on a site with this plugin installed.02http://yourwordpresssite.com/wordpress/wp-admin/admin.php?page=nggallery-manage-gallery&mode=edit&gid=1&paged=1 and modify the value of images[1][alttext] and path variable in NextGEN Gallery Photocrati Version 2.1.10 with ’)”></script><script>alert(document.cookie);</script> payload and save it to view further. Now, the added XSS payload is executed whenever the user reviews it.03Note: XSS payload was tried with the application once after implementing Unfiltered Html Settings as defined to the wp-config.php file.04Define (‘DISALLOW_UNFILTERED_HTML’, true);05POST request parameter images[1][alttext] variable in the given URL http://localhost/wordpress/wpadmin/admin.php?page=nggallerymanagegallery&mode=edit&gid=1&paged=1 of NextGEN Gallery Plugin version 2.1.10 is vulnerable to Cross-Site Scripting (XSS).06Figure 01: [alttext]variable in the given URL http://localhost/wordpress/wp-admin/admin.php?page=nggallery-manage-gallery&mode=edit&gid=1&paged=107Figure 02:  XSS Payload gets executed in the browser whenever the user views it.0803: XSS Payload injected to pathvariable in the given URL http://localhost/wordpress/wp-admin/admin.php?page=nggallery-manage-gallery&mode=edit&gid=3&paged=109Figure 04: XSS Payload gets executed in the browser whenever the user views it.
    03/Impact

    What an attacker does to you.

    Post-exploitation outcomes mapped to CVSS impact metrics.

    An XSS vulnerability allows an attacker to inject malicious code into the applications via the images [1] [alttext] parameter.

    04/Remediation

    Fix it. In this order.

    A runbook, not a checklist. Sequence matters — assume compromise before you act.

    Download the latest updated version of the Nextgen plugin and apply the patch as per vendor advisory.

    Securin advisory — For coordinated remediation support or threat-actor briefings related to CVE-2015-9229, contact disclose@securin.io
    05/Disclosure Timeline

    Vendors moved in days.
    Attackers in hours.

    Reconstructed from vendor advisories, CISA bulletins, and Securin research records.

    Feb 17, 2015

    Discovered in NextGen Gallery 2.1.7 version.

    Feb 17, 2015

    Reported to WordPress.

    Feb 18, 2015

    The vendor acknowledged the issue.

    Sep 04, 2015

    Same vulnerability once again discovered in NextGen Gallery 2.1.10 version.

    Sep 09, 2015

    Same vulnerability exists in NextGen Gallery 2.1.15 version.

    Sep 14, 2015

    Reported multiple XSS on version 2.1.15 directly to the Photocrati vendor and reminded the developer.

    Timeline recorded · Disclosure coordinated by Securin

    06/References

    Cite, verify, go deeper.

    Primary sources — NVD, CISA KEV, and machine-readable IoC feed.

    NVD

    NVD — CVE-2015-9229

    nvd.nist.gov/vuln/detail/CVE-2015-9229 →
    SEC

    Securin VI — Full Technical Analysis

    vi.securin.io →

    Let Securin level up your security posture.

    Get a live exposure assessment, threat-actor briefing tailored to your sector, and IoC mapping for your SIEM.

    Browse all advisories
    SecurinSecurinZero Days

    Securin's zero-day research operation combines frontier AI models with a decade of offensive expertise — discovering, validating, and coordinating the disclosure of high-impact vulnerabilities at a scale and speed no human team achieves alone.

    Glossary
    © 2026 Securin Inc · CVE Numbering Authority
    Privacy Policy·Data Processing Addendum