CVE-2026-6566

Name of the Vulnerable Software and Affected Versions NextGEN Gallery versions prior to 4.2.1

Description The NextGEN Gallery plugin for WordPress contains an Insecure Direct Object Reference issue. This occurs due to insufficient object-level authorization within the image deletion REST flow. Specifically, the permission callback for the endpoint 'DELETE /imagely/v1/images/{id}' only verifies 'NextGEN Manage gallery' permissions and fails to enforce gallery ownership or 'NextGEN Manage others gallery' permissions. Consequently, authenticated attackers with Subscriber-level privileges and the 'NextGEN Manage gallery' capability can delete images belonging to other users, including the associated image files from the disk, provided that deleteImg is enabled.

Recommendations Update the plugin to a version later than 4.2.0. As a temporary workaround, disable the deleteImg setting to prevent the deletion of image files from the disk.