If you’re currently using the NextGEN Gallery plugin by Photocrati Media, we recommend immediately updating the plugin on all your sites to version 2.0.79.
After two vulnerabilities were discovered in the plugin (Cross-Site Request Forgery (CSRF) and a Unsafe Arbitrary File Upload) earlier this month, the Photocrati team immediately put out a patch with a security fix.
According to Nettitude:
An average of 20% of these installs will allow for lower level users (editors and subscribers etc.) to perform image uploads. Some of the extensions provided for the NextGEN Gallery allow for Public file uploading.
WordPress.org estimates over 1 million active installs of NextGen, and over 10,000 installs of NextGEN Public Uploader. This means there could be over 200,000 sites that are vulnerable to webshell through unsafe file upload and 10,000 vulnerable to unauthenticated unsafe file upload.
The best way to protect your site is by updating the NextGEN plugin to the latest version (v.2.0.79). Any version of the plugin at or below 2.0.77 is potentially vulnerable.
Update The Plugin On All Your Sites Now with Sync
To update the NextGEN plugin on all your sites, Sync users can log in now to update. You can also manually update the plugin after logging in to your WordPress dashboard. You’ll see the v2.0.79 update for NextGEN available from your Updates menu.