Critical WordPress Plugin Flaw Allows Site Takeover

NextGen Gallery Wordpress critical flaw

A patch in the NextGen Gallery WordPress plugin fixes critical and high-severity cross-site request forgery flaws.

Researchers are urging WordPress websites that utilize the NextGen Gallery plugin to apply a patch addressing critical and high-severity flaws.

The NextGen Gallery plugin, which is installed on 800,000 WordPress websites, allows sites to upload photos in batch quantities, import metadata and edit image thumbnails. Researchers discovered two cross-site request forgery (CSRF) flaws – one critical and one high-severity – in the plugin.

A patch was released for flaws in version 3.5.0, on Dec. 17. In the first public disclosure of details of the flaw, released Monday, researchers urged website owners who use the plugin to ensure they are updated.

“Exploitation of these vulnerabilities could lead to a site takeover, malicious redirects, spam injection, phishing and much more,” said Ram Gall with Wordfence, on Monday.

What is a Cross-Site Request Forgery Flaw?

CSRF is a type of web flaw that allows an attacker to trick web browsers into performing malicious, unauthorized commands. Typically, CSRF attacks are carried out by attackers with a link sent to the victim – and using social engineering to persuade them to click on it. When victims click on the link, they are inadvertently sending a forged request to a server – resulting in the attacker being able to perform various commands.

Critical NextGen Gallery Security Flaw

The more serious of the two flaws is a critical-severity vulnerability (CVE-2020-35942). The flaw stems from NextGen Gallery’s security function (is_authorized_request) that is used to protect its various settings. This feature integrates both a capability check and a nonce check into a single function for easier application throughout the plugin.

“Unfortunately, a logic flaw in the is_authorized_request function meant that the nonce check would allow requests to proceed if the $_REQUEST[‘nonce’] parameter was missing, rather than invalid,” said researchers.

This could have allowed bad actors to carry out various attacks. To exploit this flaw, an attacker would have to trick an administrator into clicking a link. This would then submit crafted requests to perform various malicious actions, said researchers.

A successful attack “would require two separate requests, though this would be trivial to implement and we were able to do so during our testing,” researchers said. And, “the site would require at least one album to be published and accessible to the attacker.”

If an attacker successfully persuaded an admin to click on a link, the subsequent uploaded file would then be included and executed whenever the latter selected album type was viewed on the site. Any JavaScript included in the uploaded file would then also be executed, said researchers.

“As a reminder, once an attacker achieves remote code execution on a website, they have effectively taken over that site,” said researchers. “XSS can likewise be used to take over a site if a logged-in administrator visits a page running a malicious injected script.”

High-Severity File-Upload Security Flaw

A second, similar logic flaw (CVE-2020-35943) stemmed from a separate security function, validate_ajax_request, used for various AJAX actions including those used to upload images.

“This function had a similar logic flaw that would allow requests to proceed if the $_REQUEST[‘nonce’] parameter was missing, rather than invalid,” said researchers.

Attackers could trick an administrator into submitting a request crafted to upload an arbitrary image file. While the uploaded file had to be a valid image file, it is possible to hide a webshell or other malicious, executable PHP code within such an image file, they said.

“This could also be combined with the previous vulnerability, and the image file could be set as a ‘Legacy Template,’ at which point it would be included and the code within would be executed,” said researchers. “Again, this would require some degree of social engineering, as an attacker would have to trick an administrator into clicking a link that resulted in these requests being sent.”

Update to NextGen Gallery Version 3.5.0

The developer of NextGen Gallery, Imagely, has issued  patches for these flaws in version 3.5.0. According to the NextGen Gallery plugin page, only 26.2 percent of users are utilizing version 3.5. Threatpost has reached out to Imagely for further comment.

nextgen gallery WordPress plugin

The number of installs for each version of NextGen Gallery. Credit: Imagely

“If you know a friend or colleague who is using this plugin on their site, we highly recommend forwarding this advisory to them to help keep their sites protected as these are critical and high severity vulnerabilities that can lead to full site takeover,” said researchers.

The flaw is only the latest to plague a WordPress plugin. Last week, a security bug in Contact Form 7 Style, a WordPress plugin installed on over 50,000 sites, was reported that could allow for malicious JavaScript injection on a victim website. And in January, two flaws (one critical) in a WordPress plugin called Orbit Fox were found that could allow attackers to inject malicious code into vulnerable websites, or take control of a website.

Download our exclusive FREE Threatpost Insider eBook, Healthcare Security Woes Balloon in a Covid-Era World, sponsored by ZeroNorth, to learn more about what these security risks mean for hospitals at the day-to-day level and how healthcare security teams can implement best practices to protect providers and patients. Get the whole story and DOWNLOAD the eBook now – on us!

Suggested articles