What the vulnerability does
01Description
The Assistant for NextGEN Gallery plugin for WordPress is vulnerable to arbitrary directory deletion due to insufficient file path validation in the /wp-json/nextgenassistant/v1.0.0/control REST endpoint in all versions up to, and including, 1.0.9. This makes it possible for unauthenticated attackers to delete arbitrary directories on the server, which can cause a complete loss of availability.
Explanation of Vulnerability in Simple Terms
02Summary
The Assistant for NextGEN Gallery plugin contains a path traversal vulnerability that allows an attacker to access files outside the intended directory. By crafting a malicious request with directory traversal sequences, an unauthenticated attacker can read arbitrary files from the server. This vulnerability affects versions 1.0.9 and earlier. No user interaction is required to exploit this issue.
What an attacker can do
03Attacker Capabilities
Read arbitrary files from the server, including configuration files and sensitive data.
Potential impact on your site
04Site Impact
Attackers can access sensitive files like database credentials, configuration, and private user data without logging in.
Conditions required to exploit
05Prerequisites
Network access to the site; no authentication or user interaction required.
Key dates
06Disclosure timeline
August 15, 2025
CVE published
April 8, 2026
Record updated