NextGEN Gallery plugin

A WordPress plugin installed on over one million sites has just fixed a severe SQL injection vulnerability that can allow attackers to steal data from a website's database.

The vulnerable plugin's name is NextGEN Gallery, a plugin so successful that it has its own set of plugins itself.

Two configuration options for NextGEN Gallery plugin installations open WordPress sites to attacks.

First attack scenario

According to web security firm Sucuri, who discovered the NextGEN Gallery security issues, the first attack scenario can happen if a WordPress site owner activates the NextGEN Basic TagCloud Gallery option on his site.

This feature allows site owners to display image galleries that users can navigate via tags. Clicking one of these tags alters the site's URL as the user navigates through photos.

Sucuri says that an attack can modify link parameters and insert SQL queries that will be executed by the plugin when the attacker loads the malformed URL.

This happens due to improper input sanitization in the URL parameters, a common problem with many WordPress and non-WordPress web applications.

Second attack scenario

The second exploitation scenario can happen if website owners open their site for blog post submissions. Because attackers can create accounts on the site and submit a blog post/article for review, they can also insert malformed NextGEN Gallery shortcodes.

Sucuri expert Slavco Mihajloski says that a shortcode like the following can be used to attack sites.

[querycode1][any_text1]%1$%s[any_text2][querycode2]

The problem lies in how internal plugin functions handle this code. For example, %s will be converted to '%s' and effectively break the SQL query this string is inserted into.

This allows the attacker to add malicious SQL code after this character block and have it execute inside the site's backend. Depending on the attacker's skill level, this can allow him to dump the site's database and steal personal user records.

Plugin patched last week, but nobody knew it was important

Sucuri gave this vulnerability a score of 9 out of 10, mainly due to how easy was it to exploit the flaw, even for non-technical attackers.

Sucuri says the plugin's authors fixed this flaw in NextGEN Gallery 2.1.79. Reading the plugin's changelog on your own it will be very hard to spot that version 2.1.79 fixed a severe security flaw.

At the time of writing, NextGEN Gallery changelog on the WordPress Plugins repository only says "Changed: Tag display adjustment".

Even if not all plugins setups may be exposed because they might not use the exact configuration setups vulnerable to attacks, hiding crucial security updates is highly irresponsible on the plugin author's side.