WordPress plugin NextGen Gallery has fixed two severe CSRF vulnerabilities to protect sites from potential takeover attacks. The vulnerabilities are rated as high and critical severity by Wordfence’s Threat Intelligence team. Attackers can exploit these flaws by tricking WordPress admins into clicking specially crafted links or attachments to execute malicious code in their browsers. Over 530,000 WordPress sites with active NextGEN Gallery installations potentially exposed to takeover attacks if attackers start exploiting the two bugs. The plugin was released in December, but it only has just over 266,000 new downloads until yesterday.
Source: https://www.bleepingcomputer.com/news/security/critical-vulnerability-fixed-in-wordpress-plugin-with-800k-installs/