WordPress Plugin Vulnerabilities

NextGEN Gallery < 3.29 - Thumbnail Deletion via CSRF

Description

The plugin does not have CSRF checks when deleting Thumbnail, which could allow attackers to make logged in users with the edit_Post capability to perform such action via a CSRF attack

Affects Plugins

Plugin icon
nextgen-gallery
Fixed in 3.29

References

CVE
CVE-2022-38468

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Lana Codes
Verified
No
WPVDB ID
d50849ac-bbd9-4a2e-b2ee-e9b5b7a603e1

Timeline

Publicly Published
2023-02-14 (about 3 years ago)
Added
2023-03-01 (about 3 years ago)
Last Updated
2023-03-01 (about 3 years ago)

Other

Published
Title
Published
2023-12-27
Title
Apollo13 Framework Extensions < 1.9.2 - Cross-Site Request Forgery
Published
2025-10-12
Title
Contest Gallery < 28.0.1 - Cross-Site Request Forgery
Published
2025-12-22
Title
Premium Addons for Elementor < 4.11.54 - Arbitrary Template Creation via CSRF
Published
2022-03-21
Title
Yoo Slider < 2.1.0 - Arbitrary Slider Duplication/Deletion via CSRF
Published
2025-06-27
Title
IS-theme-companion <= 1.59 - Cross-Site Request Forgery