NextGEN Gallery Patches Critical SQL Injection Vulnerability

Slavco Mihajloski, security researcher at Sucuri, has discovered a critical SQL injection vulnerability in NextGEN Gallery, a popular WordPress plugin that’s active on more than a million sites.

Mihajloski gives the vulnerability a 9 out of 10 on Sucuri’s DREAD scale. Dread stands for Damage, Reproducibility, Exploitability, Affected Users, and Discoverability.

Each category receives a score between 0 and 10. The DREAD score is obtained by adding the totals from each category and then dividing by five. The higher the score, the more severe the vulnerability.

The SQL injection vulnerability affects NextGEN Gallery versions 2.1.77 and below. Version 2.1.79 is patched and was released four days ago. Those who use NextGEN basic tagcloud gallery or allow visitors to submit posts to be reviewed by contributors are especially at risk.

“This vulnerability allows an unauthenticated user to grab data from the victim’s website database, including sensitive user information,” Mihajloski said.

“This issue existed because NextGEN Gallery allowed improperly sanitized user input in a WordPress prepared SQL query, which is basically the same as adding user input inside a raw SQL query. Using this attack vector, an attacker could leak hashed passwords and WordPress secret keys, in certain configurations.”

Although 2.1.79 patches the vulnerability, the plugin’s changelog doesn’t indicate a critical security issue was fixed. Eric Danzer, Founder and CEO of Imagely, makers of NextGEN Gallery, explained on Twitter why it’s not mentioned in the changelog.

Users are strongly encouraged to update NextGEN Gallery to version 2.1.79 as soon as possible.

5 Comments


  1. Hey Jeff – thanks for sharing this. Now that the vulnerability is announced, the more people see it and update the better. Thanks for including my note as well.

    One quick point: while the vulnerability is a serious one, it only affects NextGEN tag cloud displays. Those are the least commonly used NextGEN display. I’d estimate that the vulnerability affects less than 5% of NextGEN installs, probably less than 1%.

    Even so, we’d rather have people update quickly.

    Erick (CEO, Imagely)

    Report


  2. Again i believe the sucuri team should have kept their mouth shut until nextgen confirms that most of their websites are updated and added it to the update list. With bringing this into the open they again are responsible for websites getting hacked like they did with the rest api leak in wp 4.7.1 and below and with the revslider 4.2.0 and below.

    Their eager to be first with such news is bad for websites using the nextgen plugin. Nextgen had a very good reason not to list this in the update buglist overview.

    Report


    1. Neo, How can sites be updated if the owners/admins don’t know about it?

      I certainly don’t want NextGen, WordPress or any other theme/plugin author to do an automatic update. I turned those updates off on ALL my sites.

      Nothing against NextGen Gallery, I used that plugin for many years, before current owners.

      Report


  3. I had a couple of clients with NextGEN on their sites. News like this helped me update their sites quickly and keep them safe from this vulnerability.

    Report

Comments are closed.