As discovered by the security team at Wordfence Threat Intelligence, a previous version of the image gallery plugin suffered from two cross-site request forgery (CSRF) flaws, which opened the door to website takeover.Researchers classified the first vulnerability as high severity and the second as critical, because it could be abused to perform both reflected cross-site scripting (XSS) and remote code execution (RCE) attacks.
WordPress plugin exploit
To exploit the vulnerable plugin, an attacker would need to hoodwink the WordPress administrator into launching a malicious link in their web browser, perhaps via a phishing attack.
If successful, the attacker would be free to introduce malicious redirects, phishing mechanisms and ultimately do whatever they liked with the compromised website.
“This attack would likely require some degree of social engineering…Additionally, performing these actions would require two separate requests, though this would be trivial to implement,” explained Wordfence in a blog post.
The NextGEN Gallery developers delivered a patch for the two bugs in December, but only circa 300,000 users have installed the necessary update so far, meaning upwards of 500,000 websites remain unprotected.
All users of the NextGEN Gallery plugin are advised to update to the latest version immediately, to safeguard against attack.