The Wordfence Threat Intelligence team finished researching two Cross-Site Request Forgery (CSRF) vulnerabilities in NextGen Gallery, a WordPress plugin with over 800,000 installations, including a critical severity vulnerability that could lead to Remote Code Execution(RCE) and Stored Cross-Site Scripting(XSS). Exploitation of these vulnerabilities could lead to a site takeover, malicious redirects, spam injection, phishing, and much more.
There’s two vulnerabilities in NextGen Gallery, including a Critical Severity Cross-Site Request Forgery (CSRF) that could be used to take over a site via Remote Code Execution (RCE). These vulnerabilities have been fully patched in version 3.5.0, and WordFence strongly recommends that site owners immediately update to the latest version available at this time, which is 3.5.0.
