cleantalk
Vulnerabilities and Security Researches

WordPress Gallery Plugin – NextGEN Gallery, CVE-2026-6566

CVE, Research URL

CVE-2026-6566

Home page URL

Security reports for WordPress Gallery Plugin – NextGEN Gallery

Application

WordPress Gallery Plugin – NextGEN Gallery

Published on
May 20, 2026
Research Description
The Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to and including 4.2.0. This is due to insufficient object-level authorization in the image deletion REST flow where the permission callback for DELETE /imagely/v1/images/{id} only checks 'NextGEN Manage gallery' permissions and does not enforce gallery ownership or 'NextGEN Manage others gallery' permissions. This makes it possible for authenticated attackers, with Subscriber-level privileges and 'NextGEN Manage gallery' capability, to delete gallery images belonging to other users as well as their associated image files from disk when deleteImg is enabled (default).
Affected versions
max 4.2.1.
Status
vulnerable
Previous vulnerability researches
Page Builder: Pagelayer – Drag and Drop website builder (CVE-2025-24573) , Jan 26, 2025
Page Builder: Pagelayer – Drag and Drop website builder (CVE-2025-1926) , Mar 10, 2025
Page Builder: Pagelayer – Drag and Drop website builder (CVE-2024-13427) , May 25, 2025
Page Builder: Pagelayer – Drag and Drop website builder (CVE-2025-4223) , May 25, 2025
Page Builder: Pagelayer – Drag and Drop website builder (CVE-2025-2104) , Mar 14, 2025
New vulnerability
Redirection for Contact Form 7 (CVE-2026-23970) , May 21, 2026
Smart Manager – WooCommerce Bulk Edit Products, Orders, Coupons, Any WordPress Post Type (Advanced) (CVE-2026-45216) , May 21, 2026
WordPress Gallery Plugin – NextGEN Gallery (CVE-2026-6566) , May 21, 2026
Photos and Files Contest Gallery – Contact Form, Upload Form, Social Share and Voting Plugin for WordPress (CVE-2026-8912) , May 20, 2026
Cookie Law Bar (CVE-2021-47957) , May 20, 2026