Researchers have found a severe vulnerability in NextGEN Gallery, a WordPress plugin with more than 1 million installations worldwide making as many websites vulnerable to this critical flow.
NextGEN Gallery probably the most popular WordPress image gallery plugin has been found with a severe SQL injection bug that potentially allows attackers to extract password data, secret keys and other confidential information from affected MySQL databases.
Slavco Mihajloski, a researcher with Web security firm Sucuri, wrote in a blog post “If you’re using a vulnerable version of this plugin, update as soon as possible.” and that is what we are advising here as well. Sucuri has given this a severity rating of 9 out of a possible 10 points to the vulnerability. That is very high.
An attacker could add extra sprintf/printf directives to the SQL query and use $wpdb->prepare’s behavior to add attacker controlled code to the executed query the $container_ids string found in PHP. This attack targets the NextGEN Basic Tag Cloud gallery feature by modifying the gallery URL.
SQL Injection flaws should really not be found in such major WordPress Plugins in this day and age or so would we want to think. Nevertheless, to exploit this flaw, it requires a website that allows users to submit posts for review. That way the attacker can submit a post that contains the crafted NextGEN Gallery shortcodes.
The vulnerability has since been fixed in NextGEN Gallery version 2.1.79 and therefore developers are advised to update immediately.