CVE-2026-6566
Deferred Deferred - Pending Action
Insecure Direct Object Reference in NextGEN Gallery WordPress Plugin

Publication date: 2026-05-20

Last updated on: 2026-05-20

Assigner: Wordfence

Description
The Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to and including 4.2.0. This is due to insufficient object-level authorization in the image deletion REST flow where the permission callback for DELETE /imagely/v1/images/{id} only checks 'NextGEN Manage gallery' permissions and does not enforce gallery ownership or 'NextGEN Manage others gallery' permissions. This makes it possible for authenticated attackers, with Subscriber-level privileges and 'NextGEN Manage gallery' capability, to delete gallery images belonging to other users as well as their associated image files from disk when deleteImg is enabled (default).
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-20
Last Modified
2026-05-20
Generated
2026-06-10
AI Q&A
2026-05-20
EPSS Evaluated
2026-06-08
NVD
CVE-2026-6566
EUVD
EUVD-2026-31063
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
imagely nextgen_gallery to 4.2.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability exists in the NextGEN Gallery plugin for WordPress, specifically in versions up to and including 4.2.0. It is an Insecure Direct Object Reference (IDOR) issue in the image deletion REST API endpoint. The permission check for deleting images only verifies if the user has the 'NextGEN Manage gallery' permission but does not confirm if the user owns the gallery or has the 'NextGEN Manage others gallery' permission. This flaw allows authenticated users with Subscriber-level privileges and the 'NextGEN Manage gallery' capability to delete images from galleries they do not own.

Impact Analysis

This vulnerability can allow an attacker with relatively low privileges (Subscriber-level) to delete images from other users' galleries. This means unauthorized deletion of gallery images and their associated files from the server disk can occur, potentially leading to data loss and disruption of service for legitimate users.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-6566. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart