The NextGen Gallery plugin for WordPress has a security vulnerability that affects versions up to and including 2.1.7. An authenticated attacker can use a specific action called ‘browse_folder’ and a parameter called ‘dir’ to read the contents of any file stored on the server, including ones that contain sensitive information.