The NextGEN Gallery plugin for WordPress, up to and including version 3.59, contains a missing authorization (CWE-862) vulnerability in the get_item function. This allows unauthenticated remote attackers to retrieve sensitive data such as EXIF metadata from any image uploaded via the plugin. The vulnerability has a CVSS 3.1 base score of 5.3 (medium severity), reflecting network attack vector, low complexity, no privileges required, and no user interaction needed. There is no indication of impact on integrity or availability.

An attacker without authentication can access sensitive metadata of images managed by the plugin, potentially exposing privacy-related information embedded in image files. There is no impact on data integrity or service availability. No known exploitation in the wild has been reported to date.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, consider restricting access to the plugin's endpoints or disabling the plugin if sensitive image metadata exposure is a concern.