A dangerous SQL injection vulnerability has been detected in NextGEN Gallery, WordPress’ renowned image gallery plugin that currently has 1 million active installs. Researchers disclosed a remote code execution flaw last year in this plugin, so it is not a first time for NextGEN Gallery plugin to have become an easy prey.
Researchers at Sucuri, a web security firm, have identified this flaw which provides a hacker easy access to the targeted website’s sensitive data that also comprise of passwords and secret codes.
With the release of version 2.1.79 last week this flaw was detected, but there was no acknowledgement of it in the changelog. NextGEN Gallery developers have not disinfected its user input which has resulted in the SQL injection vulnerability.
Slavo Mihajloski, the Sucuri vulnerability researcher warned NextGEN’s users by saying, ‘This is quite a critical issue and if you’re using a vulnerable version of this plugin, update as soon as possible!’
Two possible attacks are likely to occur according to Slavco; One possibility is where the targeted website uses a NextGEN Basic TagCloud Gallery; the hacker can modify the URL of this gallery and eliminate SQL queries. Another possibility is where users submit review posts; a legitimate attacker can eliminate pernicious codes through shortcodes.
The huge amount of possibly vulnerable installations has made this plugin a soft-target for attackers, although reports for this vulnerability have not yet gone savage.
According to the researches made last year by RIPS Technologies around 8,800 plugins in the official WordPress plugins directory had one breaching capability each whereas approx. 2,800 apps were marked with high severity and 41 had severe critical flaws.
An attacker may have many vulnerable options when it comes to attacking WordPress’ websites hence WordPress has become one of the most easily targeted CMS available.
Share this article
About the Author
Rutaba Rais is Editor at Be Encrypted with focus on Technology and Internet Security. Apart from her Healthcare background, she has interests in Lifestyle, Journalism, and expressing her opinion by her writing. You can follow her on Twitter.More from Rutaba Rais
Passengers’ Data Stored on User Devices, not on DigiYatra Storage, says India Govt
Watch Prime Videos With Full Catalog and Unblocked Access Unblocking streaming content from Amazon P...
NCSC Chief: Clear Rules Needed to Prevent Cyberspace Conflict and Struggle
A safe and secure digital world necessitates a clear definition and enforcement of international cyb...
‘Revive’ has been upgraded to a banking Trojan on Android
This month, Cleafy’s security researchers discovered a new Android Banking Trojan in the wild....
Asian Industrial Control Systems Targeted by Hackers Using the Shadowpad Backdoor
Unpatched Microsoft Exchange servers in various Asian countries were the target of an attack campaig...
Data Breaches Could Occur Due to Kubernetes Misconfigurations That Were Leaked.
Over 900,000 Kubernetes (K8s) have been discovered to be vulnerable to malicious scans and/or data-e...
Attacks by Cybercriminals Will Become the Main Threat in 2021. Privacy Issues Tendencies
Internet Privacy is the main Concern today Advertisers track your online activities and interfere w...