WordPress Plugin Active on over 800,000 Sites Vulnerable to pwnage

Users of NextGEN Gallery, the WordPress image management plugin, have been urged to update their websites after discovering serious cross-site request forgery (CSRF) vulnerabilities.

The most serious of the two vulnerabilities identified by security researchers – each living in separate functions – could lead to remote code execution (RCE) and stored cross-site scripting (XSS).

Moreover, as a result, attackers could take control of a website, inject spam links, or redirect visitors to phishing domains, according to a blog post published by Wordfence researchers (February 8).

Critical – with caveats

Although one flaw (CVE-2020-35942) assigned a critical CVSS of 9.6. And