SecurinZero Days
    Email Us
    Zero-Day Research/CVE-2015-9538
    ▲ MediumCVSS 6.5✓ PatchedEPSS 0.7025%

    Directory Traversal in NextGen Gallery

    The NextGEN Gallery plugin before 2.1.15 for WordPress allows ../ Directory Traversal in path selection.

    CVE IDCVE-2015-9538
    CVSS v3.16.5 Medium
    VendorNextGen
    CWECWE-22
    DisclosedFeb 14, 2015
    StatusFixed
    All advisories
    • 01Description
    • 02Proof of Concept
    • 03Impact
    • 04Remediation
    • 05Timeline
    • 06References
    01/Description

    What this actually is.

    Technical background, root cause, and affected surface.

    A path traversal vulnerability was identified on WordPress plugins NextGen gallery before 2.1.15. An attacker could take advantage of this flaw by crafting a filter name with Local File Inclusion (LFI) payload and traverse the file system to access files or directories that are outside of the restricted directory on the remote server.

    Vendor
    NextGen
    Affected Product
    NextGen Gallery
    CVE
    CVE-2015-9538
    Securin ID
    2015-CSW-08-1003
    Status
    Fixed
    Date
    February 14, 2015
    Severity
    Medium
    CVSS Score
    6.5
    Vector
    CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
    CWE
    CWE-22
    02/Proof of Concept

    From one request
    to root shell.

    Reproduced in a sandboxed environment. Requires only LAN or WiFi adjacency.

    6.5CVSS 3.1
    VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
    ScopeUnchanged
    ImpactC:H / I:N / A:N
    SeverityMedium
    PoC · Exploitation Steps▲ trigger
    01Figure 1: HTTP Request & Response for the vulnerable dir variable with ../../../../../../../../../../../xampp/htdocs/wordpress/ (Any traversal) payload

    Note: Similarly, the user can fetch any details from any website hosted on the same server.

    03/Impact

    What an attacker does to you.

    Post-exploitation outcomes mapped to CVSS impact metrics.

    An attacker will abuse this vulnerability to view files that should otherwise not be accessible.

    04/Remediation

    Fix it. In this order.

    A runbook, not a checklist. Sequence matters — assume compromise before you act.

    Download the latest updated version of the Nextgen plugin and apply the patch as per vendor advisory.

    Securin advisory — For coordinated remediation support or threat-actor briefings related to CVE-2015-9538, contact disclose@securin.io
    05/Disclosure Timeline

    Vendors moved in days.
    Attackers in hours.

    Reconstructed from vendor advisories, CISA bulletins, and Securin research records.

    Feb 17, 2015

    Reported to Vendor

    Feb 18, 2015

    Acknowledged by Vendor.

    Aug 28, 2015

    Publicly Released due to no response from Vendor

    Publicly Released due to no response from Vendor Nov 26, 2015

    CVE Assigned

    Disclosed 192 days after discovery

    06/References

    Cite, verify, go deeper.

    Primary sources — NVD, CISA KEV, and machine-readable IoC feed.

    NVD

    NVD — CVE-2015-9538

    nvd.nist.gov/vuln/detail/CVE-2015-9538 →
    SEC

    Securin VI — Full Technical Analysis

    vi.securin.io →

    Let Securin level up your security posture.

    Get a live exposure assessment, threat-actor briefing tailored to your sector, and IoC mapping for your SIEM.

    Browse all advisories
    SecurinSecurinZero Days

    Securin's zero-day research operation combines frontier AI models with a decade of offensive expertise — discovering, validating, and coordinating the disclosure of high-impact vulnerabilities at a scale and speed no human team achieves alone.

    Glossary
    © 2026 Securin Inc · CVE Numbering Authority
    Privacy Policy·Data Processing Addendum