Bao Luu Gia Nguyen

**Name of the Vulnerable Software and Affected Versions** NextGEN Gallery versions prior to 4.2.1 **Description** The NextGEN Gallery plugin for WordPress contains an Insecure Direct Object Reference issue. This occurs due to insufficient object-level authorization within the image deletion REST flow. Specifically, the permission callback for the endpoint 'DELETE /imagely/v1/images/{id}' only verifies 'NextGEN Manage gallery' permissions and fails to enforce gallery ownership or 'NextGEN Manage others gallery' permissions. Consequently, authenticated attackers with Subscriber-level privileges and the 'NextGEN Manage gallery' capability can delete images belonging to other users, including the associated image files from the disk, provided that `deleteImg` is enabled. **Recommendations** Update the plugin to a version later than 4.2.0. As a temporary workaround, disable the `deleteImg` setting to prevent the deletion of image files from the disk.