Unpatched sites could get pwned – but admins must fall for social engineering

WordPress security flaws: 800,000 sites running NextGen Gallery plugin potentially vulnerable to takeover

UPDATED Users of NextGEN Gallery, the image management plugin for WordPress, have been urged to update their websites after the discovery of cross-site request forgery (CSRF) vulnerabilities.

The most serious of two flaws found by security researchers – each residing in separate security functions – could lead to remote code execution (RCE) and stored cross-site scripting (XSS).

As a result, attackers could take control of a website, inject it with spam links, or redirect visitors to phishing domains, according to a blog post disclosing the findings of Wordfence researchers yesterday (February 8).

Critical – with caveats

Although one flaw (CVE-2020-35942) was assigned a critical CVSS of 9.6, and the other, file upload bug (CVE-2020-35943) was deemed borderline critical (CVSS 8.8), both first required the duping of an administrator into clicking a malicious link.

Exploitation of the critical vulnerability was dependent on the user triggering the sending of two malicious crafted requests instead of one, and the existence of at least one image album created by web admins.

However, Wordfence threat analyst Ram Gall, who discovered the flaws, told The Daily Swig that they managed to send “both requests required to achieve RCE with a single visit”, while “most sites using Nextgen gallery are going to have a published album because that’s the primary use case for the plugin.

“In other words, this is as easy or hard to exploit as any other CSRF. The social engineering aspect is the only restriction, and the CVSS score takes into account that user interaction is required.”

However, Mike Weichert, chief architect at Imagely, added further caveats.

The vulnerable function is maintained “for backwards compatibility”, in a rarely used feature, he told The Daily Swig.

“As such, we were achieving security-via-obscurity in this regard till now. We should make it clear too – these vulnerabilities require admin access” and successful social engineering.”

Published by Imagely, NextGen Gallery is an open source extension with more than 800,000 installations.

CSRF via file upload or LFI

The critical flaw resides in the settings-safeguarding security function is_authorized_request.

A logic flaw in a function that consolidates capability and nonce checks meant the nonce check permitted requests where the “$_REQUEST[‘nonce’] parameter was missing, rather than invalid”, explained Gall in the blog post.

As a result, it was possible to upload CSS files with double extensions (for example file.php.css) and achieve RCE.

“These files would only be executable on certain configurations, such as Apache/mod_php with an AddHandler directive,” said Gall.


Catch up on the latest WordPress security news


However, RCE, along with local file inclusion (LFI), could be achieved with other configurations via the soon-to-be-deprecated ‘legacy templates’ feature, which also uses is_authorized_request.

“Thus, it was possible to set various album types to use a template with the absolute path of the file uploaded in the previous step, or perform a directory traversal attack using the relative path of the uploaded file, regardless of that file’s extension, through a CSRF attack,” explained Gall.

The uploaded file would then be “executed whenever the selected album type was viewed on the site”, and, if armed with JavaScript, result in XSS. However, site takeover would only follow “if a logged-in administrator visits a page running a malicious injected script”.

Gall also told The Daily Swig: “It’s possible to set every legacy template to use the relative path to the uploaded file in a single request, so no reconnaissance is necessary to determine what types of album are published or to gain knowledge of the site’s file structure in order to include the uploaded file.”

CSRF leading to file upload

The validate_ajax_request security function shared the same $_REQUEST[‘nonce’] flaw as is_authorized_request, which enabled attackers to trick “an administrator into submitting a request crafted to upload an arbitrary image file” containing a hidden webshell or other executable PHP code.

The two flaws could also be chained to set the image file as a ‘legacy template’, thus unleashing the malicious code – but again, only once an administrator clicks a malicious link.

‘Fast and professional’

Imagely received the vulnerability report on December 15, and released the patched version, 3.5.0, two days later on December 17. All previous versions are affected.

Wordfence’s Gall praised Imagely’s “fast and professional response” and urged site owners to “immediately update to the latest version”.

Said Mike Weichert of Imagely: “We take all security reports very seriously. When a report comes in, it’s all hands on deck to patch the hole and push a release as soon as possible,” although he added that many are “for issues we’ve found and addressed already”.

Plans to deprecate “rarely used functionality” were now being accelerated, he continued, while ageing components of the plugin – one of the WordPress ecosystem’s oldest – would be replaced “this year with modern and secure counterparts.”

Weichert said Gall “was a pleasure to work with” and expressed gratitude for “a free security audit from the best in the business”.


This article was updated on February 10 with additional comments from Wordfence, then on February 11 with comments from Imagely.


YOU MIGHT ALSO LIKE Cyberpunk 2077 developers held to ransom after cyber-attack, source code theft