This article is more than 1 year old

WordPress photo plugin opens 'a million sites' to SQLi database feasting

Using NextGEN Gallery? Update or kill it with fire

A critical flaw has been found in the third-party WordPress NextGEN Gallery plugin that is, according to, actively used by more than a million websites.

If you're using this plugin, patch now to version 2.1.79 or greater. If you're a cyber-scamp, well, here's a surefire way to compromise a lot of tardy sites. The changelog for the update does not mention the security fix.

Researchers at Sucuri spotted that the plugin was flawed in such a way that a carefully crafted SQL injection could extract sensitive information, such as scrambled passwords, secret keys, and other website database records. The biz rates the flaw as critical and says it is relatively easy to exploit.

"This issue existed because NextGEN Gallery allowed improperly sanitized user input in a WordPress prepared SQL query; which is basically the same as adding user input inside a raw SQL query," Sucuri said. "Using this attack vector, an attacker could leak hashed passwords and WordPress secret keys in certain configurations."

Thankfully a fixed version of the plugin is available now and site admins are strongly advised to use it. However, WordPress users aren't known for being the savviest, and it's highly likely that there are a lot of unpatched sites out there.

That said, WordPress admins are used to patching. There was a major zero-day flaw found in the site last month, and in January it patched 11 holes in its code. While paying users of WordPress should already be patched, there are likely to be a lot of free users who aren't up to speed on security. ®

More about


Send us news

Other stories you might like