Photo Gallery, Sliders, Proofing and Themes NextGEN Gallery Insecure Direct Object Reference Vulnerability Allowing Unauthorized Image Deletion

A vulnerability allowing Insecure Direct Object Reference (IDOR) has been identified in the Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery plugin for WordPress, affecting versions through 4.2.0. The issue arises from inadequate object-level authorization in the image deletion process via the REST API. Specifically, the permission check for deleting images only verifies 'NextGEN Manage gallery' rights, failing to consider gallery ownership or 'NextGEN Manage others gallery' permissions. This flaw enables authenticated users with Subscriber-level access and the 'NextGEN Manage gallery' capability to delete images from other users' galleries, along with the corresponding image files from the server, when the deleteImg option is active (which is the default setting).

Impact

Exploitation of this vulnerability allows for unauthorized deletion of gallery images and their associated files from the server, impacting users' content and potentially disrupting gallery functionality.

Remediation

Users are advised to update the Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery plugin to version 4.2.1 or a later patched version.