[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fFy7FhPJRrK9adhxvnu-Yoc4MExLII-Z-H0DhtCxFWZA":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":9,"research_fix_diff":35,"research_exploit_outline":36,"research_model_used":37,"research_started_at":38,"research_completed_at":39,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":40},"CVE-2026-6566","photo-gallery-sliders-proofing-and-themes-insecure-direct-object-reference-to-authenticated-subscriber-image-deletion-vi","Photo Gallery, Sliders, Proofing and Themes \u003C= 4.2.0 - Insecure Direct Object Reference to Authenticated (Subscriber+) Image Deletion via REST API","The Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to and including 4.2.0. This is due to insufficient object-level authorization in the image deletion REST flow where the permission callback for DELETE \u002Fimagely\u002Fv1\u002Fimages\u002F{id} only checks 'NextGEN Manage gallery' permissions and does not enforce gallery ownership or 'NextGEN Manage others gallery' permissions. This makes it possible for authenticated attackers, with Subscriber-level privileges and 'NextGEN Manage gallery' capability, to delete gallery images belonging to other users as well as their associated image files from disk when deleteImg is enabled (default).","nextgen-gallery",null,"\u003C=4.2.0","4.2.1","medium",4.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Authorization Bypass Through User-Controlled Key","2026-05-19 17:01:55","2026-05-20 05:31:13",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F439809ad-21ea-4a0b-b1fd-5de9f8f5ee7a?source=api-prod",1,[22,23,24,25,26,27,28,29],"adminApp\u002Fbuild\u002Fdependencies.php","adminApp\u002Fbuild\u002Findex.min.js","composer.lock","nggallery.php","products\u002Fphotocrati_nextgen\u002Fmodules\u002Flegacy_compat\u002Fpackage.module.legacy_compat.php","products\u002Fphotocrati_nextgen\u002Fmodules\u002Fnextgen_admin\u002Ftemplates\u002Fmailchimp_optin.php","products\u002Fphotocrati_nextgen\u002Fmodules\u002Fnextgen_basic_album\u002Fpackage.module.nextgen_basic_album.php","readme.txt","researched",false,3,"# Exploitation Research Plan - CVE-2026-6566\n\n## 1. Vulnerability Summary\nThe **NextGEN Gallery** plugin (versions \u003C= 4.2.0) contains an **Insecure Direct Object Reference (IDOR)** vulnerability in its REST API implementation for image deletion. Specifically, the endpoint `DELETE \u002Fimagely\u002Fv1\u002Fimages\u002F{id}` fails to perform proper object-level authorization. While it checks if a user has the general `NextGEN Manage gallery` capability, it does not verify if the user owns the gallery containing the image or possesses the higher-privilege `NextGEN Manage others gallery` capability. This allows any authenticated user with the `NextGEN Manage gallery` capability (which can be assigned to Subscriber-level roles via plugin settings) to delete images belonging to any other user.\n\n## 2. Attack Vector Analysis\n- **Endpoint:** `\u002Fwp-json\u002Fimagely\u002Fv1\u002Fimages\u002F{id}`\n- **HTTP Method:** `DELETE` (or `POST` with `_method=DELETE` \u002F `X-HTTP-Method-Override: DELETE`)\n- **Authentication:** Authenticated. Requires a user with the `NextGEN Manage gallery` capability.\n- **Payload Parameter:** `{id}` in the URL represents the image ID in the `{prefix}_ngg_pictures` table.\n- **Preconditions:** \n    1. The attacker must have a Subscriber account.\n    2. The \"NextGEN Gallery\" -> \"Other Options\" -> \"Roles & Capabilities\" must be configured to allow the Subscriber role the `NextGEN Manage gallery` capability (a common configuration for multi-user sites).\n    3. `deleteImg` option is enabled (default behavior), which causes the image files to be unlinked from the filesystem.\n\n## 3. Code Flow (Inferred)\nBased on NextGEN's module architecture and the vulnerability description:\n1. **Route Registration:** The plugin registers the route `imagely\u002Fv1\u002Fimages\u002F(?P\u003Cid>[\\d]+)` using `register_rest_route`.\n2. **Permission Callback:** The `permission_callback` for the `DELETE` method likely calls a function that only checks:\n   `return current_user_can('NextGEN Manage gallery');`\n3. **Execution Callback:** The controller's deletion method takes the `{id}`, retrieves the image record from the database, and proceeds to delete it:\n   - It fetches the image object via the NextGEN DataMapper (e.g., `\\Imagely\\NGG\\DataMappers\\Image::get_instance()->find($id)`).\n   - It fails to compare the image's `galleryid` ownership against the `current_user_id`.\n   - It calls the storage deletion method (e.g., `$storage->delete_image($id)`), which removes the database entry and unlinks the file from `wp-content\u002Fgallery\u002F`.\n\n## 4. Nonce Acquisition Strategy\nThe REST API requires a standard WordPress REST nonce (`wp_rest`).\n\n1. **Shortcode\u002FPage Setup:** NextGEN's admin dashboard or any page where the NextGEN \"Manage Galleries\" interface is loaded will contain the necessary nonce.\n2. **Strategy:**\n   - Log in as the Subscriber.\n   - Access the NextGEN Dashboard (if available) or any admin page.\n   - The plugin relies on the core WordPress REST API settings.\n3. **Extraction:**\n   - Use `browser_eval` to extract the nonce from the `wpApiSettings` global object provided by WordPress core when REST-enabled scripts are loaded.\n   - **JavaScript:** `window.wpApiSettings.nonce`\n\n## 5. Exploitation Strategy\n### Step 1: Target Identification\nDetermine the ID of an image belonging to another user (e.g., the Administrator).\n- This can often be found by inspecting the frontend of a gallery (NextGEN image IDs are frequently exposed in HTML attributes or lightbox data).\n\n### Step 2: Request Construction\nPerform a `DELETE` request using the `http_request` tool.\n\n**Request Details:**\n- **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-json\u002Fimagely\u002Fv1\u002Fimages\u002F{TARGET_IMAGE_ID}`\n- **Method:** `DELETE`\n- **Headers:**\n    - `X-WP-Nonce: [EXTRACTED_NONCE]`\n    - `Content-Type: application\u002Fjson`\n    - `Cookie: [SUBSCRIBER_COOKIES]`\n\n### Step 3: Execution\nIf the server returns a `200 OK` or `204 No Content`, the image has been deleted despite it not belonging to the Subscriber.\n\n## 6. Test Data Setup\n1. **Users:**\n   - User A: Administrator (ID 1).\n   - User B: Subscriber (ID 2).\n2. **Capability Setup (via WP-CLI):**\n   - Grant the required capability to the subscriber role (simulating a common plugin config):\n     `wp ngg capabilities add subscriber \"NextGEN Manage gallery\"`\n3. **Content Creation:**\n   - User A (Admin) creates a gallery and uploads an image `victim.jpg`.\n   - Record the image ID: `wp db query \"SELECT pid FROM wp_ngg_pictures WHERE filename='victim.jpg'\"`\n4. **Attacker Context:**\n   - User B (Subscriber) creates their own gallery to ensure they have an active session and the capability works.\n\n## 7. Expected Results\n- **Success:** The REST API returns a success response. The image record is removed from the `{prefix}_ngg_pictures` table, and the file `wp-content\u002Fgallery\u002F{gallery_name}\u002Fvictim.jpg` is deleted from the disk.\n- **Failure:** The REST API returns a `403 Forbidden` or `401 Unauthorized`.\n\n## 8. Verification Steps\n1. **Database Check:**\n   `wp db query \"SELECT * FROM wp_ngg_pictures WHERE pid = {TARGET_IMAGE_ID}\"`\n   (Should return no results).\n2. **Filesystem Check:**\n   `ls \u002Fvar\u002Fwww\u002Fhtml\u002Fwp-content\u002Fgallery\u002F{gallery_name}\u002Fvictim.jpg`\n   (Should return \"No such file or directory\").\n\n## 9. Alternative Approaches\nIf the `DELETE` method is blocked by server configuration (e.g., some WAFs or specific Nginx configs):\n- Use `POST` with the method override header:\n  ```http\n  POST \u002Fwp-json\u002Fimagely\u002Fv1\u002Fimages\u002F{id} HTTP\u002F1.1\n  X-HTTP-Method-Override: DELETE\n  X-WP-Nonce: ...\n  ```\n- Use `POST` with the `_method` parameter:\n  ```http\n  POST \u002Fwp-json\u002Fimagely\u002Fv1\u002Fimages\u002F{id}?_method=DELETE HTTP\u002F1.1\n  X-WP-Nonce: ...\n  ```","The NextGEN Gallery plugin for WordPress is vulnerable to an Insecure Direct Object Reference (IDOR) via its REST API in versions up to and including 4.2.0. Authenticated users with the 'NextGEN Manage gallery' capability can delete images belonging to any user because the image deletion endpoint fails to verify gallery ownership or 'manage others' permissions.","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fnextgen-gallery\u002F4.2.0\u002FadminApp\u002Fbuild\u002Fdependencies.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fnextgen-gallery\u002F4.2.1\u002FadminApp\u002Fbuild\u002Fdependencies.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fnextgen-gallery\u002F4.2.0\u002FadminApp\u002Fbuild\u002Fdependencies.php\t2026-04-24 16:23:10.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fnextgen-gallery\u002F4.2.1\u002FadminApp\u002Fbuild\u002Fdependencies.php\t2026-05-15 21:15:30.000000000 +0000\n@@ -1 +1 @@\n-\u003C?php return array('dependencies' => array('react', 'react-dom', 'react-jsx-runtime', 'wp-api-fetch', 'wp-components', 'wp-data', 'wp-element', 'wp-i18n'), 'version' => '713cb6f59506e3d395e8');\n+\u003C?php return array('dependencies' => array('react', 'react-dom', 'react-jsx-runtime', 'wp-api-fetch', 'wp-components', 'wp-data', 'wp-element', 'wp-i18n'), 'version' => 'f7afa128be1833048fd9');\ndiff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fnextgen-gallery\u002F4.2.0\u002FadminApp\u002Fbuild\u002Findex.min.js \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fnextgen-gallery\u002F4.2.1\u002FadminApp\u002Fbuild\u002Findex.min.js\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fnextgen-gallery\u002F4.2.0\u002FadminApp\u002Fbuild\u002Findex.min.js\t2026-04-24 16:23:10.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fnextgen-gallery\u002F4.2.1\u002FadminApp\u002Fbuild\u002Findex.min.js\t2026-05-15 21:15:30.000000000 +0000\n@@ -1,2 +1,2 @@\n \u002F*! For license information please see index.min.js.LICENSE.txt *\u002F\n-(()=>{var e,t,n,r,a={338:(e,t,n)=>{\"use strict\";var r=n(795);t.H=r.createRoot,r.hydrateRoot},93:function(e,t,n){var r;r=e=>(()=>{\"use strict\";var t={899:t=>{t.exports=e}},n={};... (truncated)","The exploit target the REST API endpoint `DELETE \u002Fwp-json\u002Fimagely\u002Fv1\u002Fimages\u002F{id}`. An attacker requires authentication with the 'NextGEN Manage gallery' capability, which can be granted to Subscriber-level users in the plugin's settings. \n\n1. Log in as an authorized user (e.g., Subscriber with the management capability).\n2. Obtain the standard WordPress REST API nonce (`wp_rest`) from the admin dashboard (e.g., from the `wpApiSettings.nonce` global object).\n3. Identify the target image ID (`pid`) of an image belonging to another user (often visible in frontend HTML or lightbox metadata).\n4. Execute a `DELETE` request to `\u002Fwp-json\u002Fimagely\u002Fv1\u002Fimages\u002F{TARGET_ID}` with the `X-WP-Nonce` header.\n5. The plugin's failure to check for 'NextGEN Manage others gallery' or gallery ownership allows the request to succeed, resulting in the removal of the image record from the database and the deletion of the associated file from the filesystem.","gemini-3-flash-preview","2026-05-20 16:33:43","2026-05-20 16:34:07",{"type":41,"vulnerable_version":42,"fixed_version":11,"vulnerable_browse":43,"vulnerable_zip":44,"fixed_browse":45,"fixed_zip":46,"all_tags":47},"plugin","4.2.0","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fnextgen-gallery\u002Ftags\u002F4.2.0","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fnextgen-gallery.4.2.0.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fnextgen-gallery\u002Ftags\u002F4.2.1","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fnextgen-gallery.4.2.1.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fnextgen-gallery\u002Ftags"]