WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact
WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

WordPress Plugin Vulnerabilities

NextGen Gallery < 3.5.0 - CSRF allows File Upload, Stored XSS, and RCE

Description

It was possible to bypass the "is_authorized_request" function used to control access to plugin settings by sending a request without a nonce parameter. This could be used to upload arbitrary code to a CSS file with a double extension (e.g. file.php.css), and could also be used to include the uploaded file as a gallery template, resulting in RCE and XSS when visiting a gallery using the selected template.

Affects Plugins

nextgen-gallery
Fixed in version 3.5.0

References

CVE
CVE-2020-35942
URL
https://www.wordfence.com/blog/2021/02/severe-vulnerabilities-patched-in-nextgen-gallery-affect-over-800000-wordpress-sites/

Classification

Type

CSRF

OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352

Miscellaneous

Original Researcher

Ramuel Gall

Submitter

Ramuel Gall

Submitter twitter
ramuelgall
Verified

No

WPVDB ID
811beb4d-89b7-42bd-b387-ec588d318ef8

Timeline

Publicly Published

2021-02-08 (about 2 years ago)

Added

2021-02-08 (about 2 years ago)

Last Updated

2021-02-09 (about 2 years ago)

Our Other Services

WPScan WordPress Security Plugin
WPScan

Vulnerabilities

WordPressPluginsThemesOur StatsSubmit vulnerabilities

About

How it worksPricingWordPress pluginNewsContact

For Developers

StatusAPI detailsCLI scanner

Other

PrivacyTerms of serviceSubmission termsDisclosure policyPrivacy Notice for California Users
jetpackIn partnership with Jetpack
githubtwitterfacebook
Angithubendeavor
Work With Us