CVE-2020-35942

Name of the Vulnerable Software and Affected Versions: NextGEN Gallery plugin versions prior to 3.5.0

Description: A Cross-Site Request Forgery (CSRF) issue allows File Upload and Local File Inclusion via settings modification, leading to Remote Code Execution and XSS. It is possible to bypass CSRF protection by not including a nonce parameter.

Recommendations: For NextGEN Gallery plugin versions prior to 3.5.0, update to version 3.5.0 or later to resolve the issue. As a temporary workaround, consider disabling the file upload feature and restricting settings modification until a patch is available. Avoid using the nonce parameter in a way that could be exploited to bypass CSRF protection.