A patch in the NextGen Gallery WordPress plugin fixes critical and high-severity cross-site request forgery flaws.

Researchers are urging WordPress websites that utilize the NextGen Gallery plugin to apply a patch addressing critical and high-severity flaws.

The NextGen Gallery plugin, which is installed on 800,000 WordPress websites, allows sites to upload photos in batch quantities, import metadata and edit image thumbnails. Researchers discovered two cross-site request forgery (CSRF) flaws – one critical and one high-severity – in the plugin.

A patch was released for flaws in version 3.5.0, on Dec. 17. In the first public disclosure of details of the flaw, released Monday, researchers urged website owners who use the plugin to ensure they are updated.

“Exploitation of these vulnerabilities could lead to a site takeover, malicious redirects, spam injection, phishing and much more,” said Ram Gall with Wordfence, on Monday.

What is a Cross-Site Request Forgery Flaw?

CSRF is a type of web flaw that allows an attacker to trick web browsers into performing malicious, unauthorized commands. Typically, CSRF attacks are carried out by attackers with a link sent to the victim – and using social engineering to persuade them to click on it. When victims click on the link, they are inadvertently sending a forged request to a server – resulting in the attacker being able to perform various commands.

Critical NextGen Gallery Security Flaw

The more serious of the two flaws is a critical-severity vulnerability (CVE-2020-35942). The flaw stems from NextGen Gallery’s security function (is_authorized_request) that is used to protect its various settings. This feature integrates both a capability check and a nonce check into a single function for easier application throughout the plugin.

“Unfortunately, a logic flaw in the is_authorized_request function meant that the nonce check would allow requests to proceed if the $_REQUEST[‘nonce’] parameter was missing, rather than invalid,” said researchers.

This could have allowed bad actors to carry out various attacks. To exploit this flaw, an attacker would have to trick an administrator into clicking a link. This would then submit crafted requests to perform various malicious actions, said researchers.

A successful attack “would require two separate requests, though this would be trivial to implement and we were able to do so during our testing,” researchers said. And, “the site would require at least one album to be published and accessible to the attacker.”

If an attacker successfully persuaded an admin to click on a link, the subsequent uploaded file would then be included and executed whenever the latter selected album type was viewed on the site. Any JavaScript included in the uploaded file would then also be executed, said researchers.

“As a reminder, once an attacker achieves remote code execution on a website, they have effectively taken over that site,” said researchers. “XSS can likewise be used to take over a site if a logged-in administrator visits a page running a malicious injected script.”

High-Severity File-Upload Security Flaw

A second, similar logic flaw (CVE-2020-35943) stemmed from a separate security function, validate_ajax_request, used for various AJAX actions including those used to upload images.

“This function had a similar logic flaw that would allow requests to proceed if the $_REQUEST[‘nonce’] parameter was missing, rather than invalid,” said researchers.

Attackers could trick an administrator into submitting a request crafted to upload an arbitrary image file. While the uploaded file had to be a valid image file, it is possible to hide a webshell or other malicious, executable PHP code within such an image file, they said.

“This could also be combined with the previous vulnerability, and the image file could be set as a ‘Legacy Template,’ at which point it would be included and the code within would be executed,” said researchers. “Again, this would require some degree of social engineering, as an attacker would have to trick an administrator into clicking a link that resulted in these requests being sent.”

Source: threatpost.com