CVE-2026-0675

NextGEN Download Gallery <= 1.6.2 - Unauthenticated Information Exposure

mediumExposure of Sensitive Information to an Unauthorized Actor
5.3
CVSS Score
5.3
CVSS Score
medium
Severity
Unpatched
Patched in
N/A
Time to patch

Description

The NextGEN Download Gallery plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.6.2. This makes it possible for unauthenticated attackers to extract sensitive user or configuration data.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Low
Confidentiality
None
Integrity
None
Availability

Technical Details

Affected versions<=1.6.2
PublishedJanuary 8, 2026
Last updatedJanuary 14, 2026
Research Plan
Unverified

# Exploitation Research Plan: CVE-2026-0675 - NextGEN Download Gallery Unauthenticated Information Exposure ## 1. Vulnerability Summary The **NextGEN Download Gallery** plugin (<= 1.6.2) for WordPress contains a sensitive information exposure vulnerability. The plugin likely implements a functional…

Show full research plan

Exploitation Research Plan: CVE-2026-0675 - NextGEN Download Gallery Unauthenticated Information Exposure

1. Vulnerability Summary

The NextGEN Download Gallery plugin (<= 1.6.2) for WordPress contains a sensitive information exposure vulnerability. The plugin likely implements a functionality—such as download logging, user tracking, or settings export—that is accessible via an unauthenticated entry point (likely a wp_ajax_nopriv_ action or a REST API route). Because the handler for this action fails to implement proper capability checks (e.g., current_user_can( 'manage_options' )), any unauthenticated visitor can trigger the code path that returns sensitive data like user emails, download history, IP addresses, or internal configuration.

2. Attack Vector Analysis

  • Endpoint: /wp-admin/admin-ajax.php (Most likely) or /wp-json/... (REST API).
  • Action/Route: To be determined via discovery, but likely prefixed with ngdg_ or ngg_download_.
  • Parameter: An action parameter for AJAX or a specific route path for REST.
  • Authentication: None required (unauthenticated).
  • Preconditions: The plugin must be active. Information exposure is most "sensitive" if there is existing data to leak (e.g., previous downloads recorded in the database).

3. Code Flow (Inferred)

  1. Entry Point: An unauthenticated user sends a request to admin-ajax.php with a specific action.
  2. Hook Registration: The plugin registers the action using add_action( 'wp_ajax_nopriv_[ACTION_NAME]', ... ).
  3. Handler Execution: The handler function is called.
  4. Missing Check: The handler fails to call current_user_can() or verify that the requester is an administrator.
  5. Data Retrieval: The handler queries the database (e.g., $wpdb->get_results( "SELECT * FROM {$wpdb->prefix}ngdg_logs" )) or retrieves options via get_option().
  6. Information Sink: The handler echoes the data (often in JSON or CSV format) and terminates with wp_die() or die().

4. Nonce Acquisition Strategy

If the vulnerable endpoint requires a nonce, follow these steps using the browser_eval tool:

  1. Identify Shortcodes: Search for shortcode registrations in the plugin:
    grep -rn "add_shortcode" /var/www/html/wp-content/plugins/nextgen-download-gallery/
    (Expected shortcode: [ngg_download_gallery]).
  2. Create Trigger Page: Create a public page containing the shortcode to ensure scripts and nonces are enqueued:
    wp post create --post_type=page --post_status=publish --post_title="Gallery" --post_content='[ngg_download_gallery]'
  3. Identify Nonce Localization: Look for wp_localize_script in the source:
    grep -rn "wp_localize_script" /var/www/html/wp-content/plugins/nextgen-download-gallery/
  4. Extract via Browser:
    • Navigate to the newly created page: browser_navigate("http://localhost:8080/gallery")
    • Extract the nonce from the JS object (example object names: ngdg_settings, ngg_download_gallery_ajax):
      browser_eval("window.ngdg_settings?.nonce") or browser_eval("window.ngdg_ajax?.nonce").

Note: If the plugin uses a wp_ajax_nopriv_ action but forgets both capability checks and nonce checks, the nonce is unnecessary.

5. Exploitation Strategy

Phase 1: Discovery

Locate the unauthenticated entry points:

# Find all unauthenticated AJAX actions
grep -rn "wp_ajax_nopriv_" /var/www/html/wp-content/plugins/nextgen-download-gallery/

# Find all REST API routes
grep -rn "register_rest_route" /var/www/html/wp-content/plugins/nextgen-download-gallery/

Phase 2: Targeted Probing

Assuming a discovered action like ngdg_get_log or ngdg_export_settings:

  1. Request Construction:

    • URL: http://localhost:8080/wp-admin/admin-ajax.php
    • Method: POST
    • Content-Type: application/x-www-form-urlencoded
    • Body: action=[ACTION_NAME]&nonce=[NONCE_IF_FOUND]
  2. Execution: Use the http_request tool to send the payload.

Phase 3: Payload Examples (Inferred)

  • Log Exposure: action=ngdg_get_download_log
  • Configuration Exposure: action=ngdg_export_settings
  • User Information: action=ngdg_list_subscribers

6. Test Data Setup

To verify the exposure of "sensitive" data, populate the database first:

  1. Install Dependencies: Ensure nextgen-gallery is installed and active.
  2. Create Content: Use WP-CLI to create a gallery and upload at least one image.
  3. Simulate Activity: If the vulnerability exposes download logs, trigger the download functionality manually or via wp eval to ensure the log table is not empty.
    # Example: Manually insert a log entry if the table exists
    wp db query "INSERT INTO wp_ngdg_logs (user_id, email, download_date, file_name) VALUES (1, 'admin@example.com', NOW(), 'test-image.jpg')"
    

7. Expected Results

  • Success: The HTTP response returns a status code 200 OK and a body containing JSON, CSV, or raw text data that reveals:
    • Usernames or Email addresses.
    • Download history (IP addresses, filenames).
    • Plugin configuration settings (potentially containing paths or secrets).
  • Failure: The response is 403 Forbidden, 400 Bad Request, or returns 0 (standard WordPress AJAX response for invalid actions).

8. Verification Steps

  1. Compare Output: Compare the data received in the http_request response with the actual database content using WP-CLI:
    wp db query "SELECT * FROM wp_ngdg_logs" --format=json
  2. Confirm Privilege Level: Ensure the same request works when the http_request tool has no cookies (is unauthenticated).

9. Alternative Approaches

  • Direct File Access: Check if the plugin creates temporary export files in wp-content/uploads/ngdg-exports/ with predictable names or directory listing enabled.
  • Init-based Export: Some plugins check $_GET globally. Try:
    curl http://localhost:8080/?ngdg_export=1 or http://localhost:8080/?ngdg_action=dump_logs.
  • REST API: If AJAX fails, check for routes in /wp-json/ngdg/v1/... that do not return a 401 Unauthorized for unauthenticated requests.
Research Findings
Static analysis — not yet PoC-verified

Summary

The NextGEN Download Gallery plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to and including 1.6.2. This vulnerability arises because certain AJAX actions registered for unauthenticated users lack proper capability checks, allowing anyone to trigger functions that return sensitive data such as download logs, user emails, and IP addresses.

Exploit Outline

The exploit targets unauthenticated AJAX handlers in the WordPress environment. An attacker identifies a vulnerable action registered via `wp_ajax_nopriv_` (such as one intended for exporting logs or viewing statistics). By sending a POST request to `/wp-admin/admin-ajax.php` with the `action` parameter set to the target hook, the attacker triggers the data retrieval logic. Since the plugin fails to verify the requester's permissions using `current_user_can()`, the handler executes and returns sensitive database content (e.g., CSV or JSON format) containing user and system metadata directly to the unauthenticated attacker.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.