Skip to main content

NextGEN Gallery EUVDEUVD-2026-31063

| CVE-2026-6566 MEDIUM
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-05-20 Wordfence GHSA-4hjj-956w-4cwm
4.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

1
Analysis Generated
May 20, 2026 - 07:02 vuln.today

DescriptionCVE.org

The Photo Gallery, Sliders, Proofing and Themes - NextGEN Gallery plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to and including 4.2.0. This is due to insufficient object-level authorization in the image deletion REST flow where the permission callback for DELETE /imagely/v1/images/{id} only checks 'NextGEN Manage gallery' permissions and does not enforce gallery ownership or 'NextGEN Manage others gallery' permissions. This makes it possible for authenticated attackers, with Subscriber-level privileges and 'NextGEN Manage gallery' capability, to delete gallery images belonging to other users as well as their associated image files from disk when deleteImg is enabled (default).

AnalysisAI

Insecure Direct Object Reference in NextGEN Gallery WordPress plugin through version 4.2.0 allows authenticated attackers with Subscriber-level privileges and the 'NextGEN Manage gallery' capability to delete gallery images belonging to other users, including their physical files from disk. The DELETE /imagely/v1/images/{id} REST endpoint validates only the 'NextGEN Manage gallery' capability, entirely omitting gallery ownership checks and the 'NextGEN Manage others gallery' permission - making cross-user image destruction possible at low privilege. No public exploit code identified at time of analysis and no CISA KEV listing; however, when deleteImg is enabled (default), exploitation results in irreversible file-level data loss beyond what the CVSS 4.3 integrity score alone conveys.

Technical ContextAI

The vulnerability affects the WordPress REST API layer of the NextGEN Gallery plugin (CPE: cpe:2.3:a:smub:photo_gallery,_sliders,_proofing_and_themes_-_nextgen_gallery:*:*:*:*:*:*:*:*), published by SMUB. The root cause is CWE-639 (Authorization Bypass Through User-Controlled Key): the REST permission callback for DELETE /imagely/v1/images/{id} accepts a caller-controlled image ID and checks only whether the requester holds 'NextGEN Manage gallery' capability, never validating that the target image belongs to the requesting user's gallery, nor requiring the elevated 'NextGEN Manage others gallery' capability that should govern cross-gallery operations. Because the image ID is an integer predictable or enumerable from the gallery frontend, an attacker can trivially target records outside their own scope. When the plugin's deleteImg option is active - its default state - the deletion also removes the underlying image file from the server filesystem, escalating the impact from a logical record deletion to permanent file destruction.

RemediationAI

Update the NextGEN Gallery plugin to a version beyond 4.2.0 that incorporates the fix from Trac changeset 3533432 (https://plugins.trac.wordpress.org/changeset/3533432/nextgen-gallery); since the exact patched release version is not independently confirmed from available data, verify the current stable version in the WordPress plugin repository before deploying. As an immediate compensating control prior to patching, administrators should audit all user accounts holding the 'NextGEN Manage gallery' capability via WordPress role management and revoke it from any Subscriber-level accounts that do not require it - this directly eliminates the exploitation path since the capability is not default-assigned. Additionally, disabling the 'deleteImg' option in NextGEN Gallery settings will prevent physical file deletion from disk if exploitation occurs, preserving image files even if logical deletion of database records succeeds; note that this workaround does not block unauthorized record deletion and may affect intended gallery cleanup workflows. No side effects are expected from the capability audit beyond restricting low-privilege gallery management operations.

CVE-2016-10045 CRITICAL POC
9.8 Dec 30

The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail comman

CVE-2023-6553 CRITICAL POC
9.8 Dec 15

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1

CVE-2024-5084 CRITICAL POC
9.8 May 23

The Hash Form - Drag & Drop Form Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing fil

CVE-2024-8353 CRITICAL POC
9.8 Sep 28

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

CVE-2020-36847 CRITICAL POC
9.8 Jul 12

The Simple File List plugin for WordPress through version 4.2.2 contains an unauthenticated remote code execution vulner

CVE-2025-11749 CRITICAL POC
9.8 Nov 05

The AI Engine WordPress plugin through version 3.1.3 exposes Bearer Token values through the /mcp/v1/ REST API endpoint

CVE-2016-1209 CRITICAL POC
9.8 May 14

The Ninja Forms plugin before 2.9.42.1 for WordPress allows remote attackers to conduct PHP object injection attacks via

CVE-2024-4443 CRITICAL POC
9.8 May 22

The Business Directory Plugin - Easy Listing Directories for WordPress plugin for WordPress is vulnerable to time-based

CVE-2024-1698 CRITICAL POC
9.8 Feb 27

SQL injection in the NotificationX WordPress plugin (versions up to and including 2.8.2) allows unauthenticated remote a

CVE-2023-6875 CRITICAL POC
9.8 Jan 11

The POST SMTP Mailer - Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress i

CVE-2024-1512 CRITICAL POC
9.8 Feb 17

The MasterStudy LMS WordPress Plugin - for Online Courses and Education plugin for WordPress is vulnerable to union base

CVE-2024-3495 CRITICAL POC
9.8 May 22

The Country State City Dropdown CF7 plugin for WordPress is vulnerable to SQL Injection via the ‘cnt’ and 'sid' paramete

Share

EUVD-2026-31063 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy