fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Critical Vulnerability Fixed In WordPress Plugin With 800K Installs

Critical Vulnerability Fixed In WordPress Plugin With 800K Installs

The NextGen Gallery development team has addressed two severe CSRF vulnerabilities to protect sites from potential takeover attacks.

NextGen Gallery, a WordPress plugin used for creating image galleries, currently has over 800,000 active installs, making this security update a top priority for all site owners that have it installed.

Backdoor injection and site takeover

The two NextGEN Gallery security vulnerabilities are rated as high and critical severity by Wordfence’s Threat Intelligence team who discovered them.

Both of them are Cross-Site Request Forgery (CSRF) bugs which, in the case of the critical vulnerability tracked as CVE-2020-35942, can lead to Reflected Cross-Site Scripting (XSS) and remote code execution (RCE) attacks via file upload or Local File Inclusion (LFI).

Attackers can exploit these security flaws by tricking WordPress admins into clicking specially crafted links or attachments to execute malicious code in their browsers.

Luckily, “[t]his attack would likely require some degree of social engineering, as an attacker would have to trick an administrator into clicking a link that submitted crafted requests to perform these actions,” Wordfence threat analyst Ram Gall said.

Buggy NextGEN Gallery function
Buggy NextGEN Gallery function (Wordfence)

Also Read: PDPA For Companies: Compliance Guide For Singapore Business

Following successful exploitation, the vulnerabilities can let hackers set up malicious redirects, inject spam, abuse compromised sites for phishing, and, ultimately, take over the sites completely.

As Gall further explains, “once an attacker achieves Remote Code Execution on a website, they have effectively taken over that site.”

However, XSS can also be used to take over sites if the attacker tricks logged-in admins to visit pages running malicious scripts or, as seen in attacks targeting XSS vulnerabilities, it can also be used to inject backdoors on compromised sites.

Over 530,000 sites still exposed to attacks

“We initially reached out to the plugin’s publisher, Imagely, the same day, and provided full disclosure the next day, on December 15, 2020,” Gall added.

“Imagely sent us patches for review on December 16, and published the patched version, 3.5.0, on December 17, 2020.”

While NextGEN Gallery was released in December, it only has just over 266,000 new downloads until yesterday according to raw download stats for the WordPress plugin’s repository, including both updates and new installs.

Also Read: Trusted Data Sharing Framework IMDA Announced In Singapore

This translates into more than 530,000 WordPress sites with active NextGEN Gallery installations potentially exposed to takeover attacks if attackers start exploiting the two bugs.

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us