CVE-2026-6566 Overview
CVE-2026-6566 is an Insecure Direct Object Reference (IDOR) vulnerability in the NextGEN Gallery plugin for WordPress, affecting versions up to and including 4.2.0. The flaw exists in the image deletion REST endpoint DELETE /imagely/v1/images/{id}, where the permission callback only validates the NextGEN Manage gallery capability without enforcing gallery ownership. Authenticated attackers holding Subscriber-level access with this capability can delete gallery images owned by other users. When the deleteImg option is enabled (the default), the associated image files are also removed from disk.
Critical Impact
Subscriber-level users can delete arbitrary gallery images and underlying files belonging to other site users.
Affected Products
- NextGEN Gallery WordPress plugin versions up to and including 4.2.0
- WordPress sites using the Photo Gallery, Sliders, Proofing and Themes plugin
- Sites with deleteImg configuration enabled (default state)
Discovery Timeline
- 2026-05-20 - CVE-2026-6566 published to NVD
- 2026-05-20 - Last updated in NVD database
Technical Details for CVE-2026-6566
Vulnerability Analysis
The vulnerability resides in the REST API permission callback for the image deletion route. The plugin registers DELETE /imagely/v1/images/{id} and gates access using only the NextGEN Manage gallery capability check. The callback does not validate whether the requesting user owns the gallery containing the target image. It also does not require the NextGEN Manage others gallery capability for cross-user deletion attempts.
This missing object-level authorization is classified under [CWE-639: Authorization Bypass Through User-Controlled Key]. An authenticated attacker can supply any image ID in the path parameter. The endpoint resolves the image, deletes the database record, and removes the file from disk when deleteImg is enabled. The attacker requires Subscriber-level privileges and the NextGEN Manage gallery capability, which may be granted in multi-author or community WordPress deployments.
Root Cause
The root cause is insufficient object-level authorization in the REST permission callback. The code verifies that the caller holds a generic capability but never compares the gallery owner against the current user ID. WordPress capability checks alone are not equivalent to per-object access control.
Attack Vector
Exploitation requires network access and authenticated session with low privileges. The attacker enumerates or guesses numeric image IDs and issues DELETE requests against the REST endpoint. Each successful request removes one image record and, by default, the corresponding file from the server filesystem. No user interaction is required from the victim. See the Wordfence Vulnerability Report for additional technical detail.
Detection Methods for CVE-2026-6566
Indicators of Compromise
- Unexpected DELETE requests to /wp-json/imagely/v1/images/{id} from low-privilege user sessions
- Missing gallery image records and corresponding files on disk without administrator action
- WordPress audit log entries showing image deletions by Subscriber or Author-level accounts
Detection Strategies
- Inspect web server and WordPress logs for DELETE method calls against the imagely/v1/images REST namespace
- Correlate image deletion events with the requesting user's role and the gallery owner's user ID
- Alert on bursts of sequential image ID deletions, which indicate enumeration
Monitoring Recommendations
- Monitor REST API traffic for non-administrator users invoking destructive HTTP methods
- Track filesystem changes in the wp-content/gallery/ directory and equivalents
- Review user capability assignments for unexpected NextGEN Manage gallery grants on low-privilege roles
How to Mitigate CVE-2026-6566
Immediate Actions Required
- Update the NextGEN Gallery plugin to a version above 4.2.0 once the patched release is available
- Audit WordPress user roles and remove the NextGEN Manage gallery capability from untrusted accounts
- Disable the deleteImg option to prevent file removal from disk if patching is delayed
Patch Information
The vendor addressed the issue in the plugin source tree. Review the upstream changes in the WordPress NextGEN Gallery Update changeset and update to the fixed release. The fix introduces gallery ownership validation in the REST permission callback and requires NextGEN Manage others gallery for cross-user operations.
Workarounds
- Restrict the NextGEN Manage gallery capability to trusted Editor and Administrator roles only
- Deploy a Web Application Firewall (WAF) rule blocking DELETE requests to /wp-json/imagely/v1/images/ from non-administrator sessions
- Set deleteImg to disabled so deletions remove records without purging filesystem assets
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
