Critical WordPress Plugin Flaw Allows Site Takeover
#1
Information 
Quote:Researchers are urging WordPress websites that utilize the NextGen Gallery plugin to apply a patch addressing critical and high-severity flaws.
 
The NextGen Gallery plugin, which is installed on 800,000 WordPress websites, allows sites to upload photos in batch quantities, import metadata and edit image thumbnails. Researchers discovered two cross-site request forgery (CSRF) flaws – one critical and one high-severity – in the plugin.
 
A patch was released for flaws in version 3.5.0, on Dec. 17. In the first public disclosure of details of the flaw, released Monday, researchers urged website owners who use the plugin to ensure they are updated.

“Exploitation of these vulnerabilities could lead to a site takeover, malicious redirects, spam injection, phishing and much more,” said Ram Gall with Wordfence, on Monday.

CSRF is a type of web flaw that allows an attacker to trick web browsers into performing malicious, unauthorized commands. Typically, CSRF attacks are carried out by attackers with a link sent to the victim – and using social engineering to persuade them to click on it. When victims click on the link, they are inadvertently sending a forged request to a server – resulting in the attacker being able to perform various commands.

Read more: https://threatpost.com/critical-wordpres...er/163734/
[-] The following 1 user says Thank You to silversurfer for this post:
  • harlan4096
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)
[-]
Welcome
You have to register before you can post on our site.

Username/Email:


Password:





[-]
Recent Posts
QOwnNotes
26.7.2 Added supp...Kool — 03:40
WhatsApp Launches New Username Feature ...
WhatsApp Opens Usern...harlan4096 — 17:12
AnyDesk 9.7.9 for Windows
Version 9.7.9 for ...harlan4096 — 15:57
uBOLite 2026.705.2152 (already available...
uBOLite 2026.705.2...harlan4096 — 10:23
Microsoft Warns Windows 11 Enterprise De...
Microsoft has issu...harlan4096 — 10:22

[-]
Birthdays
Today's Birthdays
avatar (56)Step 1
Upcoming Birthdays
avatar (47)dapedDow
avatar (49)TromPerl
avatar (46)RidgeDimb
avatar (37)ipumaqar
avatar (51)tanliorsPeri
avatar (43)lapedDow
avatar (49)rituabew
avatar (37)omyjul
avatar (41)papedDow
avatar (50)ArnoldFum
avatar (38)yfaza
avatar (49)Kevensi
avatar (48)ConradRoand
avatar (39)boineDon
avatar (51)spoofTum
avatar (50)WillieVot
avatar (40)Grompelbawn
avatar (41)vkseogaF
avatar (37)usogy
avatar (40)ywixazok
avatar (38)ixoqe
avatar (36)pa.OpenTran

[-]
Online Staff
There are no staff members currently online.

>