NextGEN Download Gallery <= 1.6.2 - Unauthenticated Information Exposure
Description
The NextGEN Download Gallery plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.6.2. This makes it possible for unauthenticated attackers to extract sensitive user or configuration data.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NTechnical Details
<=1.6.2# Exploitation Research Plan: CVE-2026-0675 - NextGEN Download Gallery Unauthenticated Information Exposure ## 1. Vulnerability Summary The **NextGEN Download Gallery** plugin (<= 1.6.2) for WordPress contains a sensitive information exposure vulnerability. The plugin likely implements a functional…
Show full research plan
Exploitation Research Plan: CVE-2026-0675 - NextGEN Download Gallery Unauthenticated Information Exposure
1. Vulnerability Summary
The NextGEN Download Gallery plugin (<= 1.6.2) for WordPress contains a sensitive information exposure vulnerability. The plugin likely implements a functionality—such as download logging, user tracking, or settings export—that is accessible via an unauthenticated entry point (likely a wp_ajax_nopriv_ action or a REST API route). Because the handler for this action fails to implement proper capability checks (e.g., current_user_can( 'manage_options' )), any unauthenticated visitor can trigger the code path that returns sensitive data like user emails, download history, IP addresses, or internal configuration.
2. Attack Vector Analysis
- Endpoint:
/wp-admin/admin-ajax.php(Most likely) or/wp-json/...(REST API). - Action/Route: To be determined via discovery, but likely prefixed with
ngdg_orngg_download_. - Parameter: An
actionparameter for AJAX or a specific route path for REST. - Authentication: None required (unauthenticated).
- Preconditions: The plugin must be active. Information exposure is most "sensitive" if there is existing data to leak (e.g., previous downloads recorded in the database).
3. Code Flow (Inferred)
- Entry Point: An unauthenticated user sends a request to
admin-ajax.phpwith a specificaction. - Hook Registration: The plugin registers the action using
add_action( 'wp_ajax_nopriv_[ACTION_NAME]', ... ). - Handler Execution: The handler function is called.
- Missing Check: The handler fails to call
current_user_can()or verify that the requester is an administrator. - Data Retrieval: The handler queries the database (e.g.,
$wpdb->get_results( "SELECT * FROM {$wpdb->prefix}ngdg_logs" )) or retrieves options viaget_option(). - Information Sink: The handler echoes the data (often in JSON or CSV format) and terminates with
wp_die()ordie().
4. Nonce Acquisition Strategy
If the vulnerable endpoint requires a nonce, follow these steps using the browser_eval tool:
- Identify Shortcodes: Search for shortcode registrations in the plugin:
grep -rn "add_shortcode" /var/www/html/wp-content/plugins/nextgen-download-gallery/
(Expected shortcode:[ngg_download_gallery]). - Create Trigger Page: Create a public page containing the shortcode to ensure scripts and nonces are enqueued:
wp post create --post_type=page --post_status=publish --post_title="Gallery" --post_content='[ngg_download_gallery]' - Identify Nonce Localization: Look for
wp_localize_scriptin the source:grep -rn "wp_localize_script" /var/www/html/wp-content/plugins/nextgen-download-gallery/ - Extract via Browser:
- Navigate to the newly created page:
browser_navigate("http://localhost:8080/gallery") - Extract the nonce from the JS object (example object names:
ngdg_settings,ngg_download_gallery_ajax):browser_eval("window.ngdg_settings?.nonce")orbrowser_eval("window.ngdg_ajax?.nonce").
- Navigate to the newly created page:
Note: If the plugin uses a wp_ajax_nopriv_ action but forgets both capability checks and nonce checks, the nonce is unnecessary.
5. Exploitation Strategy
Phase 1: Discovery
Locate the unauthenticated entry points:
# Find all unauthenticated AJAX actions
grep -rn "wp_ajax_nopriv_" /var/www/html/wp-content/plugins/nextgen-download-gallery/
# Find all REST API routes
grep -rn "register_rest_route" /var/www/html/wp-content/plugins/nextgen-download-gallery/
Phase 2: Targeted Probing
Assuming a discovered action like ngdg_get_log or ngdg_export_settings:
Request Construction:
- URL:
http://localhost:8080/wp-admin/admin-ajax.php - Method: POST
- Content-Type:
application/x-www-form-urlencoded - Body:
action=[ACTION_NAME]&nonce=[NONCE_IF_FOUND]
- URL:
Execution: Use the
http_requesttool to send the payload.
Phase 3: Payload Examples (Inferred)
- Log Exposure:
action=ngdg_get_download_log - Configuration Exposure:
action=ngdg_export_settings - User Information:
action=ngdg_list_subscribers
6. Test Data Setup
To verify the exposure of "sensitive" data, populate the database first:
- Install Dependencies: Ensure
nextgen-galleryis installed and active. - Create Content: Use WP-CLI to create a gallery and upload at least one image.
- Simulate Activity: If the vulnerability exposes download logs, trigger the download functionality manually or via
wp evalto ensure the log table is not empty.# Example: Manually insert a log entry if the table exists wp db query "INSERT INTO wp_ngdg_logs (user_id, email, download_date, file_name) VALUES (1, 'admin@example.com', NOW(), 'test-image.jpg')"
7. Expected Results
- Success: The HTTP response returns a status code
200 OKand a body containing JSON, CSV, or raw text data that reveals:- Usernames or Email addresses.
- Download history (IP addresses, filenames).
- Plugin configuration settings (potentially containing paths or secrets).
- Failure: The response is
403 Forbidden,400 Bad Request, or returns0(standard WordPress AJAX response for invalid actions).
8. Verification Steps
- Compare Output: Compare the data received in the
http_requestresponse with the actual database content using WP-CLI:wp db query "SELECT * FROM wp_ngdg_logs" --format=json - Confirm Privilege Level: Ensure the same request works when the
http_requesttool has no cookies (is unauthenticated).
9. Alternative Approaches
- Direct File Access: Check if the plugin creates temporary export files in
wp-content/uploads/ngdg-exports/with predictable names or directory listing enabled. - Init-based Export: Some plugins check
$_GETglobally. Try:curl http://localhost:8080/?ngdg_export=1orhttp://localhost:8080/?ngdg_action=dump_logs. - REST API: If AJAX fails, check for routes in
/wp-json/ngdg/v1/...that do not return a401 Unauthorizedfor unauthenticated requests.
Summary
The NextGEN Download Gallery plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to and including 1.6.2. This vulnerability arises because certain AJAX actions registered for unauthenticated users lack proper capability checks, allowing anyone to trigger functions that return sensitive data such as download logs, user emails, and IP addresses.
Exploit Outline
The exploit targets unauthenticated AJAX handlers in the WordPress environment. An attacker identifies a vulnerable action registered via `wp_ajax_nopriv_` (such as one intended for exporting logs or viewing statistics). By sending a POST request to `/wp-admin/admin-ajax.php` with the `action` parameter set to the target hook, the attacker triggers the data retrieval logic. Since the plugin fails to verify the requester's permissions using `current_user_can()`, the handler executes and returns sensitive database content (e.g., CSV or JSON format) containing user and system metadata directly to the unauthenticated attacker.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.