NextGen Gallery < 3.5.0 – CSRF allows File Upload, Stored XSS, and RCE | CVE 2020-35942 | Plugin Vulnerabilities

Description

It was possible to bypass the "is_authorized_request" function used to control access to plugin settings by sending a request without a nonce parameter. This could be used to upload arbitrary code to a CSS file with a double extension (e.g. file.php.css), and could also be used to include the uploaded file as a gallery template, resulting in RCE and XSS when visiting a gallery using the selected template.

Affects Plugins

nextgen-gallery

Fixed in 3.5.0

References

CVE

URL

https://www.wordfence.com/blog/2021/02/severe-vulnerabilities-patched-in-nextgen-gallery-affect-over-800000-wordpress-sites/

Classification

Type

CSRF

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CVSS

Miscellaneous

Original Researcher

Ramuel Gall

Submitter

Ramuel Gall

Submitter twitter

Verified

No

WPVDB ID

811beb4d-89b7-42bd-b387-ec588d318ef8

Timeline

Publicly Published

2021-02-08 (about 5 years ago)

Added

2021-02-08 (about 5 years ago)

Last Updated

2021-02-09 (about 5 years ago)

Other

Published

Title

Published

2025-02-03

Title

Songkick Concerts and Festivals < 0.10.0 - Cross-Site Request Forgery to Stored Cross-Site Scripting

Published

2025-08-14

Title

flexo-social-gallery <= 1.0006 - Cross-Site Request Forgery

Published

2024-04-12

Title

WP EasyCart < 5.6.0 - Cross-Site Request Forgery

Published

2024-04-10

Title

e2pdf < 1.23.00 - Cross-Site Request Forgery

Published

2021-03-10

Title

Database Backups <= 1.2.2.6 - CSRF to Backup Download