NextGEN Gallery For WordPress SQL Injection Vulnerability


Did you find yourself the target for malicious injection of SQL code in WordPress? Do you use the WordPress plugin NextGEN Gallery? Read on to find out how to respond to this threat, and eliminate it.

I find myself sliding down the side of a snowy, sheer rock face as part of my search to find a cure for each and every flaw in WordPress that crops up. Once I have written about one patch, 10 more pop up. But knowing that I can support just one person means to me the world, I feel like a superhero without the mask, the energy … but at least the common experience helps me to keep going.

So with no more ado. You find something wrong with your WordPress, your data seems to have leaked and is now hosted on a PasteBin website. How did this happen on earth? What exactly is this issue and how can you not only notice it, but also how can you eradicate it to prevent this problem from happening again?

Recently it became clear that there was a weakness in NextGEN Gallery, a very common (and honestly brilliant) WordPress gallery plugin that enabled malicious SQL injection, which in turn allows the hacker to enter, retrieve leak hashed passwords and hidden WordPress keys. Inside NextGEN Gallery, putting this vulnerability bluntly allows an unauthorized user to pilfer data from a WordPress platform, including confidential user details.

So, how are you affected by this?

Ok, you need to use NextGEN Gallery first of all, even if you aren’t. All right. Off you go.

Can exploit this vulnerability in two particular situations:

  • Your site uses NextGEN Simple TagCloud Gallery.
  • You allow Readers to submit reviews of posts / comments.
  • If you tick any of the parameters outlined above you are at risk.

This problem occurs because of a problem with NextGEN Gallery, where user feedback in a SQL query prepared for WordPress is allowed. That’s the same as adding user input functionality to a raw SQL query. In laymans-terms , this means that even a user without admin access might go rogue, leaking hashed passwords and hidden WordPress keys using this attack vector. That means the hacker not only uncovers your passwords, but they also obtain hidden keys to your WordPress.

Trusting The Input… Don’t

When it comes to input confidence levels, you have to be careful. Maintaining this mantra ensures better protection for your customers and keeps secure when using your WordPress platform. When considering your input, you should still ask the same questions to yourself.

  1. Is the entry secure and safe?
  2. Was the data tested and hygienic?
  3. Do you follow the guidelines and best practices governing the framework?

WordPress uses a PHP vsprintf function to prepare SQL statements in $wpdb->prepare); (this ensures that the SQL object uses as its arguments a set of formats and input values. This helps us to know that supplying user input in the format string is never a good idea, because it may not be sanitised (read: protected) against characters that can manipulate it to establish legitimate sprint / printf directives. To put it plainly, anyone with the information may use a simple SQL injection to manipulate this loophole and gain access to the unsanitised (and unprotected) data they should otherwise not be able to.

Looking at the source code for this, you can note that the problem is based on the $container ids, this string is generated with tag input and thus its values are not typically properly sanitized. Although safe from SQL injection it would not prevent a hacker from inserting arbitrary format string directives / input. This can well trigger problems with the prepare) (method for abstraction of the WordPress database.

Now this may sound quite confusing, but you’ll note a few improvements in the original SQL code when looking at the planning methods file. It is substituted as ‘percent s’ when entering percent s. When these changes are made, they move to the vsprintf function, which means that we can enforce any current directory strings we have added. If you have looked into the documentation of the PHP sprintf feature, you may be aware that there might be ‘swapping arguments’ (directive and code switching). When incorrectly sanitized inputs are applied to a format set, it opens you up to a multitude of problems.

So How Does The Exploit Work?

Looking at this particular WordPress plugin’s short code, there are two places where the method, which generates the $container ids string required to get the exploit to work, exists.

  • Using the short code tag gallery which requires a privileged and authenticated user to execute this attack.
  • If tags are accessed from the NextGEN Simple TagCloud list. Hackers can do it just a little by changing the URL of the site.
  • A hacker might add additional sprintf / printf directives to the SQL query with the knowledge and ability to do this, and use the previously stated $wpdb->prepare actions to apply a malicious code to the managed query.

How do I know this? I will need further assistance.

I know what you would think about reading all of these … it’s a lot to take in. But luckily we have experts who can support you not only with the above-mentioned security problem but with a lot of others.

If you want to be alerted to such problems, you need to install an exploit scanner that will search your files , directories and database for issues like the one I’ve been talking about. You will need to ensure your applications and all your WordPress plugins are regularly updated.

If this vulnerability has compromised your WordPress I would suggest you take the following steps:

  • Download our easy-to-use (really!) exploit scanner
  • Add this scanner to your WordPress, it just works like using any of your plugins. Upload, and activate. That is everything!
  • Let’s do all the job, scanning your WordPress files all over.
  • We are informing you which files are compromised and can be abused further by hackers. Providing a solution for any exploitative problems you might have. Help you clean up these quickly and effectively, and notify you of any further improvements where appropriate.

If you think some of your files have been compromised or abused as a result of this vulnerability, and you are uncertain what to do next. Contact Us and Employ an Expert to help solve the problems you might have, and then you can get back to doing what you do best and create more content for your WordPress site or company.