NextGEN Gallery is an extraordinarily popular plugin for self-hosted WordPress websites, having been downloaded over 16.5 million times. The software's widespread popularity (it claims to have been "the industry's standard WordPress gallery plugin" since 2007) makes it an seemingly obvious choice for website owners looking to add image galleries to their sites. Researchers at Sucuri uncovered a severe SQL injection vulnerability in NextGEN Gallery's code which could be used by a malicious attacker to steal sensitive information such as hashed passwords and WordPress secret keys:
This vulnerability can be exploited by attackers in at least two different scenarios:If you fit into any of these two cases, you’re definitely at risk. This issue existed because NextGEN Gallery allowed improperly sanitized user input in a WordPress prepared SQL query; which is basically the same as adding user input inside a raw SQL query. Using this attack vector, an attacker could leak hashed passwords and WordPress secret keys in certain configurations.
- If you use a NextGEN Basic TagCloud Gallery on your site, or
- If you allow your users to submit posts to be reviewed (contributors).
Fortunately the security vulnerability has been patched in version 2.1.79 of the plugin. Of course, the fact that Imagely, the developer of the NextGEN Gallery plugin, has released a fixed version isn't the end of the story. Affected websites need to ensure that they have updated their version of the WordPress plugin. And many sites may not recognise just how important it is to update to NextGEN Gallery 2.1.79. After all, the plugin's own changelog makes no reference to a critical security vulnerability being fixed.
Instead, you need to dig into the plugin's support forum to find any mention of the flaw, and the fact that a fix has been issued. Many WordPress-powered websites use dozens of plugins from third parties, meaning it is just as important to keep them updated, and protected against security vulnerabilities as other software on your computers. If plugins have been coded sloppily by developers there is always the risk that your website could become compromised, and that they could put the computers of visiting users at risk. Thankfully, in this case, the vulnerability was discovered by a security firm who responsibly informed the plugin developers of the potential issue, and the onus is now on website administrators to download the latest version of the plugin and apply it on their sites. I just wish that Imagely, the developers of NextGEN Gallery, had done more to tell their millions of users the importance of their latest plugin update. Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
