Critical SQL Injection Vulnerability Found in NextGEN Gallery

NextGEN Gallery is one f widely used WordPress plugins. As per the statastics available in WordPress plugin directory, this plugin was downloaded more than 1+ million times. That means, this plugin should be used on large number of WordPress installation.

WHMCS Complete Billing and Support

Researcher found a critical SQL injection vulnerability in NextGEN Gallery plugin. This vulnerability allows an unauthenticated user to grab data from the victim’s website database, including sensitive user information.

SQL Injection vulnerability in NetxtGEN Gallery

As per security researcher Sucuri, this issue existed because NextGEN Gallery allowed improperly sanitized user input in a WordPress prepared SQL query; which is basically the same as adding user input inside a raw SQL query. Using this attack vector, an attacker could leak hashed passwords and WordPress secret keys in certain configurations.

If you are using WordPress NextGEN Gallery plugin, you should upgrade it to latest version immediately. SQL injection vulnerability was fixed in NextGEN Gallery version 2.1.79.

Posted in Security.