A popular WordPress gallery plugin with more than one million active installations was recently patched to address a vulnerability exposing website databases to attack.
The NextGEN Gallery is a photo gallery management system used by professional photographers and artists upload, sort and group galleries. It’s been downloaded more than 16 million times since it was developed in 2007.
Researchers at Sucuri on Monday disclosed what was characterized as a “severe SQL injection vulnerability.”
“This vulnerability allows an unauthenticated user to grab data from the victim’s website database, including sensitive user information,” researcher Slavco Mihajloski said. “This is quite a critical issue. If you’re using a vulnerable version of this plugin, update as soon as possible!”
Mihajloski described two conditions in which the vulnerability can be exploited: if an admin uses a NextGEN Basic TagCloud Gallery, or if the site allows contributors to submit posts to be reviewed.
“This issue existed because NextGEN Gallery allowed improperly sanitized user input in a WordPress prepared SQL query; which is basically the same as adding user input inside a raw SQL query,” Mihajloski said. “Using this attack vector, an attacker could leak hashed passwords and WordPress secret keys in certain configurations.”
Mihajloski said an attacker would need to abuse a $container_ids string in order to trigger the exploit. He could do so by either modifying the NextGEN Basic TagCloud gallery URL, or when using the tag gallery shortcode.
“With this knowledge, an unauthenticated attacker could add extra sprintf/printf directives to the SQL query and use $wpdb->prepare’s behavior to add attacker-controlled code to the executed query,” Mihajloski said.
WordPress plugins have been a source of security angst for the content management system for some time. A December research report from RIPS cofounder Hendrik Buchwald said the percentage of vulnerable plugins was high, but that this was an artifact of WordPress’ widespread adoption. Buchwald said he looked at more than 10,000 plugins with more than 500 lines of code and found that 43 percent had at least one medium-severity vulnerability. According to the research, plugins with fewer than 1,000 lines of code had next to zero vulnerabilities. While a large percentage of the internet’s sites may be built on WordPress, RIPS’ research suggests only a small percentage of the plugins used on those sites contain vulnerabilities.
Recently, WordPress platform users were face-to-face with a critical vulnerability in the core code that was patched in a recent security update in version 4.7.2. Hackers quickly capitalized, exploiting a vulnerability in the REST API endpoint to deface more than one million websites. Eventually, attackers tried to monetize these defacements, leaving behind links to rogue pharmaceutical websites trying to spam users into buying drugs or lure them into phishing scams trying to steal payment card data.