CSRF Vulnerability in NextGEN Gallery Plugin for WordPress
CVE-2020-35942

8.8HIGH

Key Information:

Vendor: Wordpress
Status: Nextgen Gallery
Vendor: CVE Published:; 9 February 2021

What is CVE-2020-35942?

A Cross-Site Request Forgery (CSRF) vulnerability in the NextGEN Gallery plugin before version 3.5.0 for WordPress exposes sites to security risks by allowing attackers to modify settings without proper nonce validation. This lack of adequate CSRF protection can lead to unauthorized file uploads and local file inclusion, creating avenues for Remote Code Execution (RCE) and Cross-Site Scripting (XSS) attacks. Consequently, users are advised to update to the latest version to mitigate these risks and maintain site integrity.

References

https://www.wordfence.com/blog/2021/02/severe-vulnerabili...

x_refsource_MISC

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 9, 2021
Vulnerability Reserved
Jan 1, 2021

Wordpress

What is CVE-2020-35942?

References

CVSS V3.1

Timeline