logoWordPressPluginsThemesAPISubmitContact
search-icon
logo
search-icon
WordPressPluginsThemesAPISubmitContactSecurity Scanner
Register

NextGen Gallery < 3.5.0 - CSRF allows File Upload, Stored XSS, and RCE

Description

It was possible to bypass the "is_authorized_request" function used to control access to plugin settings by sending a request without a nonce parameter. This could be used to upload arbitrary code to a CSS file with a double extension (e.g. file.php.css), and could also be used to include the uploaded file as a gallery template, resulting in RCE and XSS when visiting a gallery using the selected template.

Affects Plugins

nextgen-gallery

Fixed in version 3.5.0

References

CVE

CVE-2020-35942

URL

https://www.wordfence.com/blog/2021/02/severe-vulnerabilities-patched-in-nextgen-gallery-affect-over-800000-wordpress-sites/

Classification

Type

CSRF

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CWE-352

Miscellaneous

Original Researcher

Ramuel Gall

Submitter

Ramuel Gall

Submitter twitter

ramuelgall

Verified

No

WPVDB ID

811beb4d-89b7-42bd-b387-ec588d318ef8

Timeline

Publicly Published

2021-02-08 (about 2 months ago)

Added

2021-02-08 (about 2 months ago)

Last Updated

2021-02-09 (about 2 months ago)

Our Other Services

WPScan WordPress Security Plugin