CVE Request - Full Path disclosure on Wordpress plugin NextGEN Gallery

[Henrique Montenegro <typoon () gmail com>]

Good morning,

I have found an issue with a full-path disclosure in the NextGEN Gallery
1.9.10 and 1.9.11 for Wordpress, a plugin with 6+ million downloads.
This issue would let an user to obtain information about paths he/she is
not supposed to know in the server.
This does not depend on php's display_errors being set to ON, as the
information is disclosed by a xml/json that is generated by the plugin code.

PoC:

http://wordpress.gilgalab.com.br/?callback=json&api_key=true&format=json&method=gallery&id=1

http://wordpress.gilgalab.com.br/?callback=json&api_key=true&format=xml&method=recent&limit=1

Plugin page at wordpress:
http://wordpress.org/extend/plugins/nextgen-gallery/

I have informed the wordpress team on this issue on February 8th, but no
response has been given about it.

Regards,

Henrique