Critical flaws in NextGen Gallery WordPress plugin still impact over 500K installs

Pierluigi Paganini February 09, 2021

The development team behind the NextGen Gallery plugin has addressed two severe CSRF vulnerabilities that could have allowed site takeover.

The developers behind the NextGen Gallery plugin have fixed two critical Cross-site request forgery (CSRF) vulnerabilities, their exploitation could lead to a site takeover, malicious redirects, spam injection, phishing, and other malicious activities.

The NextGEN Gallery is one of the most popular WordPress gallery plugins that is available since 2007. The plugin receives over 1.5 million new downloads per year, it easily allows to create highly responsive photo galleries

The NextGen Gallery currently has over 800,000 active installs, which means that a flaw in this plugin could have a widespread impact.

The two CSRF vulnerabilities, tracked as CVE-2020-35942, were discovered by researchers at security firm Wordfence.

Both issues would result in Reflected Cross-Site Scripting (XSS) and remote code execution (RCE) because an uploaded file would be included and executed whenever the selected album type was viewed on the site.

“Thus, it was possible to set various album types to use a template with the absolute path of the file uploaded in the previous step, or perform a directory traversal attack using the relative path of the uploaded file, regardless of that file’s extension, through a CSRF attack.” reads the post published by Wordfence.

“This would result in Local File Inclusion (LFI) and Remote code Execution (RCE), as the uploaded file would then be included and executed whenever the selected album type was viewed on the site. Any JavaScript included in the uploaded file would also be executed, resulting in Cross-Site Scripting (XSS).”

The experts pointed out that upon achieving Remote Code Execution on a website, attackers could have taken over the sites running the vulnerable versions of the plugin.

An attacker could trigger the flaws with social engineering techniques by tricking WordPress admins into clicking specially crafted links or attachments to perform malicious actions.

“As a reminder, once an attacker achieves Remote Code Execution on a website, they have effectively taken over that site. XSS can likewise be used to take over a site if a logged-in administrator visits a page running a malicious injected script.” reads the post published by Wordfence.

“This attack would likely require some degree of social engineering, as an attacker would have to trick an administrator into clicking a link that submitted crafted requests to perform these actions.”

Below the vulnerability timeline:

December 14, 2020 – The Wordfence Threat Intelligence team finishes researching vulnerabilities in NextGen Gallery. We deploy firewall rules and reach out to Imagely.
December 15, 2020 – Imagely replies and we provide full disclosure.
December 16, 2020 – Imagely sends us a patched version of the plugin to review.
December 17, 2020 – A patched version of NextGen Gallery is made available to the public.
January 13, 2021 – Sites running the free version of Wordfence receive firewall rules.

Since the release of the latest version, NextGEN Gallery only has over 260K new downloads, which implies that over 500K active installs are still vulnerable.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, WordPress)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment