PatchSiren cyber security CVE debrief
CVE-2026-6566 smub CVE debrief
The NextGEN Gallery WordPress plugin (versions ≤4.2.0) contains an Insecure Direct Object Reference (IDOR) vulnerability in its REST API image deletion endpoint. The DELETE /imagely/v1/images/{id} endpoint only validates the 'NextGEN Manage gallery' capability without verifying gallery ownership or checking for the 'NextGEN Manage others gallery' permission. This authorization gap allows authenticated attackers with Subscriber-level access and the 'NextGEN Manage gallery' capability to delete images belonging to other users. When the deleteImg option is enabled (default configuration), this also removes the associated image files from disk. The vulnerability was disclosed on 2026-05-20 and assigned a CVSS 3.1 score of 4.3 (MEDIUM severity). A patch has been committed to the plugin repository.
- Vendor
- smub
- Product
- Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery
- CVSS
- MEDIUM 4.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-20
- Original CVE updated
- 2026-05-20
- Advisory published
- 2026-05-20
- Advisory updated
- 2026-05-20
Who should care
WordPress site administrators using NextGEN Gallery plugin; security teams monitoring WordPress plugin vulnerabilities; incident responders investigating unauthorized image deletions; compliance officers assessing data integrity controls
Technical summary
The vulnerability exists in the REST API permission callback for the image deletion endpoint. The callback at DELETE /imagely/v1/images/{id} invokes a permission check that only validates the 'NextGEN Manage gallery' WordPress capability. It does not perform object-level authorization to verify the requesting user owns the target gallery or image, nor does it check for the 'NextGEN Manage others gallery' capability that would explicitly permit cross-user operations. This allows any authenticated user possessing the base 'NextGEN Manage gallery' capability—including those with Subscriber roles where this capability has been granted—to specify arbitrary image IDs and delete resources belonging to other users. The deleteImg configuration option (enabled by default) causes the operation to also remove the underlying file from server disk, resulting in permanent data loss.
Defensive priority
medium
Recommended defensive actions
- Upgrade NextGEN Gallery WordPress plugin to version 4.2.1 or later
- Review WordPress user roles and capabilities to ensure 'NextGEN Manage gallery' is restricted to trusted administrators
- Audit gallery image access logs for unauthorized deletion activity between plugin installation and patch deployment
- Verify backup integrity for gallery images that may have been affected
- Consider implementing additional authorization checks at the web application firewall level for REST API endpoints matching /imagely/v1/images/*
Evidence notes
Vulnerability identified by Wordfence. Patch committed to WordPress plugin repository (changeset 3533432). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N. CWE-639 (Authorization Bypass Through User-Controlled Key).
Official resources
Disclosed 2026-05-20