Security Experts:

Connect with us

Hi, what are you looking for?



Vulnerabilities in NextGEN Gallery Plugin Exposed Many WordPress Sites to Takeover

Two severe vulnerabilities in the NextGEN Gallery WordPress plugin could have exposed more than 800,000 websites to complete takeover, WordPress security company Defiant reported on Monday.

Two severe vulnerabilities in the NextGEN Gallery WordPress plugin could have exposed more than 800,000 websites to complete takeover, WordPress security company Defiant reported on Monday.

Available for more than a decade, the plugin provides users with a broad range of gallery management capabilities, such as batch upload of photos, metadata import, thumbnail editing, photo and gallery management, and more.

In December 2020, security researchers with Defiant’s Wordfence team discovered two cross-site request forgery (CSRF) vulnerabilities in the popular plugin, the most severe of which could lead to remote code execution (RCE) and stored cross-site scripting (XSS).

“Exploitation of these vulnerabilities could lead to a site takeover, malicious redirects, spam injection, phishing, and much more,” the security researchers say.

Tracked as CVE-2020-35942, the first of these issues features a CVSS score of 9.6 and affects one of the plugin’s security functions, is_authorized_request.

Because NextGEN Gallery supports the upload of custom CSS files, the vulnerability allows for the upload of arbitrary code with double extensions, such as .php.css, and have code in them executed on certain configurations, remotely. Code execution was also possible on configurations not vulnerable to double extensions, because of a “Legacy Templates” feature.

An attacker able to execute code remotely on a vulnerable website would be able to essentially take over the site. A similar result can be achieved via XSS, if a logged-in administrator visits a malicious page (which would likely require social engineering tactics).

Tracked as CVE-2020-35943, the second vulnerability is considered high severity (CVSS score of 8.8) and resides in the validate_ajax_request security function that was implemented for various AJAX actions. A logic flaw in the function would result in requests being processed if a specific parameter was missing.

“This made it possible to trick an administrator into submitting a request crafted to upload an arbitrary image file. While the uploaded file had to be a valid image file, it is possible to hide a webshell or other executable PHP code within such an image file,” Wordfence explains.

By setting the image file as Legacy Template, an attacker could combine the flaw with the previously described vulnerability and abuse it for code execution. However, the attacker would have to convince an administrator to click on a link resulting in these requests being sent.

Wordfence reported these vulnerabilities to the plugin’s publisher, Imagely, on December 14, 2020, and a patched version of the plugin was published three days later. Site admins should make sure they are running NextGEN Gallery version 3.5.0 or later, to be protected.

Related: Many WordPress Sites Affected by Vulnerabilities in ‘Popup Builder’ Plugin

Related: WordPress Malware Targets WooCommerce Stores

Related: Elementor Plugin Vulnerabilities Exploited to Hack WordPress Sites

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.


GoAnywhere MFT users warned about a zero-day remote code injection exploit that can be targeted directly from the internet