Close this search box.
Close this search box.

Written by: Mike Yang

Researchers have found a critical SQL injection vulnerability in a popular WordPress plugin used to create photo galleries. The bug in NextGEN Gallery exposes more than a million sites.
The vulnerability can be exploited in a couple of different ways, and researchers at Sucuri, who discovered the weakness, say that an attacker could use it to steal data from vulnerable sites, including sensitive user information. The developer of the plugin patched the vulnerability in a release late last week, but any site that hasn’t upgraded to version 2.1.79 is likely still exposed.
“This issue existed because NextGEN Gallery allowed improperly sanitized user input in a WordPress prepared SQL query; which is basically the same as adding user input inside a raw SQL query. Using this attack vector, an attacker could leak hashed passwords and WordPress secret keys in certain configurations,” Slavco Mihajloski of Sucuri said in a post explaining the flaw.
The vulnerability lies in a specific method in the plugin’s source code. The way that the code is written can cause some problems with the WordPress database, Mihajloski said.
“From the source code, we notice the $container_ids string is created from tag input and its values are not properly sanitized. They are safe from SQL injection but wouldn’t prevent arbitrary format string directives/input from being inserted, which may cause issues with the WordPress database abstraction prepare() method,” Mihajloski said.
In some scenarios, an attacker would need to be authenticated in order to exploit this bug. But in others, an unauthenticated attacker could take advantage of it.
“When accessing tags from a NextGEN Basic TagCloud gallery, which malicious visitors can do by modifying the gallery’s URL a bit (given such a gallery exists on the site). With this knowledge, an unauthenticated attacker could add extra sprintf/printf directives to the SQL query and use $wpdb->prepare’s behavior to add attacker-controlled code to the executed query,” Mihajloski said.