Two exposures were disclosed in NextGen Gallery, including a critical Cross-Site Request Forgery (CSRF) leading to full Remote Code Execution (RCE). These vulnerabilities affect over 800,000 WordPress sites where this plugin have been used.
Exploitation of these vulnerabilities could lead to a site takeover, malicious redirects, spam injection, phishing, and much more. These vulnerabilities have been fully patched in plugin version 3.5.0. We strongly recommend that site owners immediately update to the latest version available at this time, which is 3.5.0.
