CVE-2026-6566
Insecure Direct Object Reference in NextGEN Gallery WordPress Plugin
Publication date: 2026-05-20
Last updated on: 2026-05-20
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| imagely | nextgen_gallery | to 4.2.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-639 | The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability exists in the NextGEN Gallery plugin for WordPress, specifically in versions up to and including 4.2.0. It is an Insecure Direct Object Reference (IDOR) issue in the image deletion REST API endpoint. The permission check for deleting images only verifies if the user has the 'NextGEN Manage gallery' permission but does not confirm if the user owns the gallery or has the 'NextGEN Manage others gallery' permission. This flaw allows authenticated users with Subscriber-level privileges and the 'NextGEN Manage gallery' capability to delete images from galleries they do not own.
How can this vulnerability impact me? :
This vulnerability can allow an attacker with relatively low privileges (Subscriber-level) to delete images from other users' galleries. This means unauthorized deletion of gallery images and their associated files from the server disk can occur, potentially leading to data loss and disruption of service for legitimate users.