SQL Injection Vulnerability in NextGEN Gallery for WordPress
by CIRT Team
Description: WordPress plugin NextGEN Gallery has severe SQL Injection vulnerability. According to the original source, one of the following conditions must be met for exploitation:
- The use of a NextGEN Basic TagCloud gallery.
- If users are able to submit posts to be reviewed (contributors).
Impact: This vulnerability allows an unauthenticated user to grab data from the victim’s website database including sensitive user information.
Mitigation: Vendor has released patch version.
- Patched Version: 2.1.79 (Reference: https://wordpress.org/plugins/nextgen-gallery/)