NextGen Gallery plugin allows sites to upload photos in batch quantities, import metadata and edit image thumbnails. Researchers discovered two cross-site request forgery (CSRF) flaws one critical and one high-severity in the plugin. One of the flaws stems from a security function (is_authorized_request) that is used to protect its settings. Another flaw stemmed from a separate security function, validate_ajax_request, used for various AJAX actions. To exploit this flaw, an attacker would have to trick an administrator into clicking a link.
Source: https://threatpost.com/critical-wordpress-plugin-flaw-site-takeover/163734/