NextGen Gallery is a popular WordPress plugin with more than 800,000 installations. The plugin enables the creation of highly responsive image galleries. Unfortunately, Wordfence security researchers discovered that the plugin contained vulnerabilities, one of which (CVE-2020-35942) a critical remote code execution bug.
“Exploitation of these vulnerabilities could lead to a site takeover, malicious redirects, spam injection, phishing, and much more,” the researchers said in their report. The team reached out to Imagely, NextGen Gallery’s publisher, and patches quickly followed. The patched version, NextGen Gallery v3.5.0 was released on December 17, 2020.
A quick overview of the vulnerabilities is available below.
CVE-2020-35942 – the Critical Bug in NextGen Gallery Plugin
Curiously, the vulnerability stems from the only security function in the plugin. The function, is_authorized_request, is there to protect most of the plugin’s settings.
This function integrated both a capability check and a nonce check into a single function for easier application throughout the plugin. Unfortunately, a logic flaw in the is_authorized_request function meant that the nonce check would allow requests to proceed if the $_REQUEST[‘nonce’] parameter was missing, rather than invalid, Wordfence discovered.
The described issue created plenty of opportunities for threat actors to exploit via an attack vector known as Cross-Site Request Forgery. It was also possible to upload arbitrary code to the plugin, leading to remote code execution.
Remote code execution, shortly known as RCE is one of the most dangerous attacks against websites. A successful RCE attack gives access to the entire site to hackers.
The other vulnerability the researchers uncovered is CVE-2020-35943. It existed in a separate security function, validate_ajax_request, for various AJAX actions including those used to upload images. The function also had a similar logic flaw, enabling attackers to combine both vulnerabilities in various attack attempts.
Users of the NextGen Gallery plugin should update to the latest version 3.5.0 to avoid any security issues.
Hackers Often Target Vulnerable WordPress Plugins and Themes
We often write of security vulnerabilities in WordPress plugins, highlighting the importance of strict updating hygiene. Security researchers often come across severe vulnerabilities in WordPress plugins and themes. HowToHosting.Guide wrote about a large-scale attack endangering millions of WordPress sites in November 2020.
Threat actors took advantage of Function Injection vulnerabilities in many WordPress themes.
We advise you to check if your installed plugins, widgets, and other apps are up-to-date. Don’t forget that these components can be vulnerable to cyberattacks. So, check all active site apps for vulnerable code, just to be sure your site is safe. You can read more web security tips in our special article.