Remote Code Flaw Exploits WordPress Renown Plugin

Last updated: July 5, 2023 Reading time: minutes
wordpress flaw

A dangerous SQL injection vulnerability has been detected in NextGEN Gallery, WordPress’ renowned image gallery plugin that currently has 1 million active installs. Researchers disclosed a remote code execution flaw last year in this plugin, so it is not a first time for NextGEN Gallery plugin to have become an easy prey.

Researchers at Sucuri, a web security firm, have identified this flaw which provides a hacker easy access to the targeted website’s sensitive data that also comprise of passwords and secret codes.

With the release of version 2.1.79 last week this flaw was detected, but there was no acknowledgement of it in the changelog. NextGEN Gallery developers have not disinfected its user input which has resulted in the SQL injection vulnerability.

Slavo Mihajloski, the Sucuri vulnerability researcher warned NextGEN’s users by saying, ‘This is quite a critical issue and if you’re using a vulnerable version of this plugin, update as soon as possible!’

Two possible attacks are likely to occur according to Slavco; One possibility is where the targeted website uses a NextGEN Basic TagCloud Gallery; the hacker can modify the URL of this gallery and eliminate SQL queries.  Another possibility is where users submit review posts; a legitimate attacker can eliminate pernicious codes through shortcodes.

The huge amount of possibly vulnerable installations has made this plugin a soft-target for attackers, although reports for this vulnerability have not yet gone savage.

According to the researches made last year by RIPS Technologies around 8,800 plugins in the official WordPress plugins directory had one breaching capability each whereas approx. 2,800 apps were marked with high severity and 41 had severe critical flaws.

An attacker may have many vulnerable options when it comes to attacking WordPress’ websites hence WordPress has become one of the most easily targeted CMS available.

Share this article

About the Author

Rutaba Rais is Editor at Be Encrypted with focus on Technology and Internet Security. Apart from her Healthcare background, she has interests in Lifestyle, Journalism, and expressing her opinion by her writing. You can follow her on Twitter.

More from Rutaba Rais

Related Posts