Quote:Researchers are urging WordPress websites that utilize the NextGen Gallery plugin to apply a patch addressing critical and high-severity flaws.
 
The NextGen Gallery plugin, which is installed on 800,000 WordPress websites, allows sites to upload photos in batch quantities, import metadata and edit image thumbnails. Researchers discovered two cross-site request forgery (CSRF) flaws – one critical and one high-severity – in the plugin.
 
A patch was released for flaws in version 3.5.0, on Dec. 17. In the first public disclosure of details of the flaw, released Monday, researchers urged website owners who use the plugin to ensure they are updated.

“Exploitation of these vulnerabilities could lead to a site takeover, malicious redirects, spam injection, phishing and much more,” said Ram Gall with Wordfence, on Monday.

CSRF is a type of web flaw that allows an attacker to trick web browsers into performing malicious, unauthorized commands. Typically, CSRF attacks are carried out by attackers with a link sent to the victim – and using social engineering to persuade them to click on it. When victims click on the link, they are inadvertently sending a forged request to a server – resulting in the attacker being able to perform various commands.