Vulnerabilities Discovered in NextGEN Gallery Plugin


Multiple vulnerabilities were discovered in NextGEN Gallery, one of the most used plugins by WordPress users. Although the developers have released an update that closes the vulnerabilities, most users still haven’t installed the new update.

One of the first options for a person who wants to develop a website today. WordPress platform. WordPress, which can be used by everyone, whether experienced or inexperienced, continues to maintain its popularity in the internet world with its ease and wide plugin library that will appeal to every user it has.

Today, however, an important warning has been made about one of the most popular WordPress plugins. Gallery plugin published in 2007 and used on more than 800,000 active WordPress sites NextGEN Gallery’de Multiple vulnerabilities have been discovered. Application developers have managed to close the discovered vulnerabilities and ensure that all their users that they should update the plugin told.

The site can be seized directly:


Vulnerabilities discovered by Wordfence Threat Intelligence, two “cross-site request forgery (CSRF/XSRF)“The vulnerability was named. The vulnerabilities were reported by researchers in order”.high violence“and”criticismThe vulnerabilities had the potential to result in a website hijacking.

An attacker who wanted to exploit the vulnerabilities in the plugin had to trick the WordPress administrator in some way. After this stage, which could be completed by malicious links or baiting, the attacker could add malicious links and bait mechanisms to the website. also control of the site too it was completely passed on to them.


Turkish Developer, MSN’s Indispensable “What Am I Listening?” Bringing the Feature to Twitter

Wordfence said in a blog post that this attack was to some extent that it requires social engineering expressed. Although the developers of the NextGEN Gallery plugin have released an update that closes the security vulnerabilities, this update has not yet reached its goal. The developers announced that 300 thousand users have installed the necessary updates so far, and the remaining 500 thousand users have announced that their websites are insecure.

Source :