SQL Injection Vulnerability in NextGEN Gallery for WordPress

A WordPress NextGEN Gallery plugin installed on over one million sites has just fixed a severe SQL injection vulnerability that can allow attackers to steal data from a website’s database.


Technical Details

Vulnerability can be exploited by attackers in at least two different scenarios:

First scenario

The first attack scenario can happen if a WordPress site owner activates the NextGEN Basic TagCloud Gallery option on his site.

This feature allows site owners to display image galleries that users can navigate via tags. Clicking one of these tags alters the site’s URL as the user navigates through photos.

Attacker can modify link parameters and insert SQL queries that will be executed by the plugin when the attacker loads the malformed URL.

Second scenario

The second exploitation scenario can happen if website owners open their site for blog post submissions. Because attackers can create accounts on the site and submit a blog post/article for review, they can also insert malformed NextGEN Gallery shortcodes.

This allows the attacker to add malicious SQL code after this character block and have it execute inside the site’s backend. Depending on the attacker’s skill level, this can allow him to dump the site’s database and steal personal user records.

In Conclusion

This is quite a critical issue. If you’re using a vulnerable version of this plugin, update as soon as possible!

In the event where you cannot update, we strongly recommend leveraging the Malware Expert – ModSecurity Rules (or equivalent technology) to have the vulnerability patched virtually.

Sucuri gave this vulnerability a score of 9 out of 10, mainly due to how easy was it to exploit the flaw, even for non-technical attackers.

More technical details in Sucuri Blog