While looking in to a report of a reflected cross-site scripting vulnerability in the plugin Really Simple Gallery we noticed that there is also cross-site request forgery (CSRF)/arbitrary file upload vulnerability in it.

When uploading a file through the plugin’s settings page there is no check for a valid nonce to protect against CSRF, as seen in the file /reallysimplegallery.php starting on

Powered by WPeMatico