WordPress plugin NextGen Gallery existed a serious vulnerability (CVE-2020-35942)
NextGen Gallery is a WordPress plugin used to create image libraries. It currently has more than 800,000 valid installations. Recently, The development team of NextGen Gallery has now resolved the two serious CSRF vulnerabilities (CVE-2020-35942) to protect the site from potential takeover attacks. This security update is mandatory for all website owners who have installed the plugin and have the highest priority.
Both vulnerabilities are Cross-Site Request Forgery (CSRF) errors, which may lead to XSS and RCE via file upload and LFI. Attackers can exploit these security vulnerabilities by inducing WordPress administrators to click on specially crafted links or attachments to execute malicious code in their browsers.
Once these two vulnerabilities are successfully exploited, the vulnerabilities can enable hackers to set up malicious redirects, inject spam, abuse infected websites for phishing, or even take control of these websites completely.
Wordfence researcher Ram Gall added: “These vulnerabilities have been fully patched in version 3.5.0, and we strongly recommend that site owners immediately update to the latest version available at this time, which is 3.5.0. Wordfence Premium users received firewall rules protecting against these vulnerabilities on December 14, 2020. Sites still running the free version of Wordfence received these rules on January 13, 2021.”