Mihajloski gives the vulnerability a 9 out of 10 on Sucuri’s DREAD scale. Dread stands for Damage, Reproducibility, Exploitability, Affected Users, and Discoverability.
Each category receives a score between 0 and 10. The DREAD score is obtained by adding the totals from each category and then dividing by five. The higher the score, the more severe the vulnerability.
The SQL injection vulnerability affects NextGEN Gallery versions 2.1.77 and below. Version 2.1.79 is patched and was released four days ago. Those who use NextGEN basic tagcloud gallery or allow visitors to submit posts to be reviewed by contributors are especially at risk.
“This vulnerability allows an unauthenticated user to grab data from the victim’s website database, including sensitive user information,” Mihajloski said.
“This issue existed because NextGEN Gallery allowed improperly sanitized user input in a WordPress prepared SQL query, which is basically the same as adding user input inside a raw SQL query. Using this attack vector, an attacker could leak hashed passwords and WordPress secret keys, in certain configurations.”
Although 2.1.79 patches the vulnerability, the plugin’s changelog doesn’t indicate a critical security issue was fixed. Eric Danzer, Founder and CEO of Imagely, makers of NextGEN Gallery, explained on Twitter why it’s not mentioned in the changelog.
We just wanted updates underway before drawing attention. We'll update changelog for accuracy in a subsequent release.
— Erick Danzer (@ErickDanzer) February 27, 2017
Users are strongly encouraged to update NextGEN Gallery to version 2.1.79 as soon as possible.