WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

WordPress Plugin Vulnerabilities

NextGen Gallery < 3.5.0 - CSRF allows File Upload, Stored XSS, and RCE

Description

It was possible to bypass the "is_authorized_request" function used to control access to plugin settings by sending a request without a nonce parameter. This could be used to upload arbitrary code to a CSS file with a double extension (e.g. file.php.css), and could also be used to include the uploaded file as a gallery template, resulting in RCE and XSS when visiting a gallery using the selected template.

Affects Plugins

nextgen-gallery
Fixed in version 3.5.0

References

CVE
CVE-2020-35942
URL
https://www.wordfence.com/blog/2021/02/severe-vulnerabilities-patched-in-nextgen-gallery-affect-over-800000-wordpress-sites/

Classification

Type

CSRF

OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352

Miscellaneous

Original Researcher

Ramuel Gall

Submitter

Ramuel Gall

Submitter twitter
ramuelgall
Verified

No

WPVDB ID
811beb4d-89b7-42bd-b387-ec588d318ef8

Timeline

Publicly Published

2021-02-08 (about 2 years ago)

Added

2021-02-08 (about 2 years ago)

Last Updated

2021-02-09 (about 2 years ago)

Our Other Services

WPScan WordPress Security Plugin