NextGEN Gallery is one f widely used WordPress plugins. As per the statastics available in WordPress plugin directory, this plugin was downloaded more than 1+ million times. That means, this plugin should be used on large number of WordPress installation.
Researcher found a critical SQL injection vulnerability in NextGEN Gallery plugin. This vulnerability allows an unauthenticated user to grab data from the victim’s website database, including sensitive user information.
As per security researcher Sucuri, this issue existed because NextGEN Gallery allowed improperly sanitized user input in a WordPress prepared SQL query; which is basically the same as adding user input inside a raw SQL query. Using this attack vector, an attacker could leak hashed passwords and WordPress secret keys in certain configurations.
If you are using WordPress NextGEN Gallery plugin, you should upgrade it to latest version immediately. SQL injection vulnerability was fixed in NextGEN Gallery version 2.1.79.