Cross-Site Request Forgery Vulnerability in NextGEN Gallery Plugin for WordPress
CVE-2020-35943

6.5MEDIUM

Key Information:

Vendor: Wordpress
Status: Nextgen Gallery
Vendor: CVE Published:; 9 February 2021

Summary

The NextGEN Gallery plugin prior to version 3.5.0 for WordPress has a Cross-Site Request Forgery (CSRF) vulnerability. This issue allows malicious actors to exploit the plugin by bypassing CSRF protections through the omission of nonce parameters, thereby enabling unauthorized file uploads and potentially compromising the security of WordPress sites.

References

https://www.wordfence.com/blog/2021/02/severe-vulnerabili...

x_refsource_MISC

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Feb 9, 2021
Vulnerability Reserved
Jan 1, 2021