The vulnerability can lead to attackers grabbing data from website database or user sensitive information

Feb 27, 2017 22:49 GMT  ·  By

A new SQL Injection vulnerability was discovered in the NextGen Gallery plugin for WordPress, allowing users to grab data from the victim's website database, which may very well include sensitive user information. 

The discovery was made by researchers from Sucuri who were working on discovering vulnerabilities for the Sucuri Firewall. For this project, they've been auditing multiple open source projects looking for security issues, before stumbling upon NextGen Gallery, which is one of the most used gallery plugins on WordPress, with over 16.5 million downloads.

How can you tell if you're at risk? Well, the vulnerability can be exploited by attackers in two different scenarios, researchers say. The first is if you use a NextGen Basic TagCloud Gallery on your site, or if you allow your users to submit posts to be reviewed, which is common for blogs with numerous contributors.

"The issue existed because NextGEN Gallery allowed improperly sanitized user input WordPress prepared SQL query; which is basically the same as adding user input inside a raw SQL query. Using this attack vector, an attacker could leak hashed passwords and WordPress secret keys in certain configurations," the blog post reads.

Sensitive information is at risk

According to the analysis of the situation, there are several exploit scenarios. One of them is when using the tag gallery shortcode, which requires a privileged authenticated user to perform the attack. The second is when accessing tags from a NextGEN Basic TagCloud gallery, which malicious visitors can do by modifying the gallery's URL a bit, given that such a gallery already exists on the site.

Therefore, an unauthenticated attacker could add extra directives to the SQL query in order to add attacker-controlled code to the executed query.

Sucuri marks this as a critical issue and advises everyone using the plugin to run an update as soon as possible. The patched version is 2.1.79 so if you have any other version installed, you'd better hurry before attackers start digging.