Users of NextGEN Gallery, the WordPress image management plugin, have been urged to update their websites after discovering serious cross-site request forgery (CSRF) vulnerabilities.

The most serious of the two vulnerabilities identified by security researchers – each living in separate functions – could lead to remote code execution (RCE) and stored cross-site scripting (XSS).

Moreover, as a result, attackers could take control of a website, inject spam links, or redirect visitors to phishing domains, according to a blog post published by Wordfence researchers (February 8).

Critical – with caveats

Although one flaw (CVE-2020-35942) assigned a critical CVSS of 9.6. And the other a file upload bug (CVE-2020-35943) considered a borderline critical bug (CVSS 8.8). Both first required the administrator to click a malicious link.

The critical vulnerability needed this link to trigger two malicious requests instead of one. Although testing suggested that this “trivial to implement” – and the existence of at least one web admin image album.

Published by Imagely, the NextGen Gallery is an open source extension with over 800,000 installations.

CSRF via file upload or LFI

The critical flaw is in the Settings-Safeguarding Security Function authorized request.

A logical flaw in the capability consolidation function and nonce checks meant that nonce checks allowed requests where the “$_REQUEST[‘nonce’] parameter was missing, rather than invalid,” explained Ram Gall, Wordfence threat analyst.

As a result, CSS files with double extensions (e.g. file.php.css) uploaded and RCE achieved.

“These files would only be executable on certain configurations, such as Apache/mod php with the AddHandler directive,” Gall said.

However, RCE, along with local file inclusion (LFI), could be achieved with other configurations through the soon-to-be-deprecated ‘legacy templates’ feature, which also uses is authorized request.

“Thus, it was possible to set various album types to use a template. With the absolute path of the file uploaded in the previous step. Or perform a directory traversal attack using the relative path of the uploaded file. Regardless of that file’s extension, through a CSRF attack,” explained Gall.

The uploaded file would then “executed whenever the selected album type viewed on the site”. And would result in XSS if it was armed with JavaScript. However, site takeover would only follow “if the logged-in administrator visits a malicious injected script page.”

CSRF leading to file upload

The validate_ajax_request security feature shared the same $_REQUEST[‘nonce’] flaw as is authorized request, which allowed attackers to trick the “Administrator to submit a request to upload an arbitrary image file” containing a hidden webshell or other executable PHP code.

The two flaws also chained to set the image file as a ‘legacy template’. Thus unleashing the malicious code – but again, only once an administrator clicks a malicious link.

‘Fast and professional’

Imagely received the vulnerability report on December 15, and released the patched version, 3.5.0, two days later on December 17. All previous versions affected.

Moreover, Wordfence’s Gall praised Imagely’s “fast and professional response” and urged site owners to “immediately update to the latest version”.

You may also like:

WordPress Security Issues vs the 10 Best Security Plugins

6 Best WordPress Lazy Loading Plugins for a Faster Website