Description The plugin does not validate some block attributes before using them to generate paths passed to include function/s, allowing Admin users to perform LFI attacks
1. Create a gallery and upload an image.
2. Add the NextGEN Gallery block to a page and click Edit. Select the Gallery created in the previous step.
3. In "Customize Display Settings", using the developer tools, set the value of the "Select View" field to "default/../../../../../../../../../../../../../../../../../../../../../../../../../../../../etc/passwd"
4. Save and load the page to view the contents of `/etc/passwd`.