A patch in the NextGen Gallery WordPress plugin fixes critical and high-severity cross-site request forgery flaws.
Researchers are urging WordPress websites that utilize the NextGen Gallery plugin to apply a patch addressing critical and high-severity flaws.
The NextGen Gallery plugin, which is installed on 800,000 WordPress websites, allows sites to upload photos in batch quantities, import metadata and edit image thumbnails. Researchers discovered two cross-site request forgery (CSRF) flaws – one critical and one high-severity – in the plugin.
A patch was released for flaws in version 3.5.0, on Dec. 17. In the first public disclosure of details of the flaw, released Monday, researchers urged website owners who use the plugin to ensure they are updated.