Update this popular WordPress plugin immediately, thousands of users warned
NextGEN Gallery WordPress plugin suffers two high-severity security bugs
When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.
Multiple serious vulnerabilities have been fixed in popularWordPress pluginNextGEN Gallery, which has an active install base of more than 800,000 users.
As discovered by the security team at Wordfence Threat Intelligence, a previous version of theimage gallery pluginsuffered from two cross-site request forgery (CSRF) flaws, which opened the door to website takeover.
Researchers classified the first vulnerability as high severity and the second as critical, because it could be abused to perform both reflected cross-site scripting (XSS) and remote code execution (RCE) attacks.
WordPress plugin exploit
To exploit the vulnerable plugin, an attacker would need to hoodwink the WordPress administrator into launching a malicious link in their web browser, perhaps via a phishing attack.
If successful, the attacker would be free to introduce malicious redirects, phishing mechanisms and ultimately do whatever they liked with the compromised website.
“This attack would likely require some degree of social engineering…Additionally, performing these actions would require two separate requests, though this would be trivial to implement,” explained Wordfence in ablog post.
The NextGEN Gallery developers delivered a patch for the two bugs in December, but only circa 300,000 users have installed the necessary update so far, meaning upwards of 500,000 websites remain unprotected.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
All users of the NextGEN Gallery plugin are advised to update to the latest version immediately, to safeguard against attack.
ViaBleeping Computer
Joel Khalili is the News and Features Editor at TechRadar Pro, covering cybersecurity, data privacy, cloud, AI, blockchain, internet infrastructure, 5G, data storage and computing. He’s responsible for curating our news content, as well as commissioning and producing features on the technologies that are transforming the way the world does business.
Squarespace just launched its biggest update ever. I asked what that means for your business
Shopify just made it easier to access all your financial tools in one place
Professionals are facing “tech overload” as they try to juggle multiple devices in the workplace
