Tag Archives: sql injection

SQL Injection Vulnerability in NextGEN Gallery for WordPress

As part of a vulnerability research project for our Sucuri Firewall (WAF), we have been auditing multiple open source projects looking for security issues. While working on the WordPress plugin NextGEN Gallery, we discovered a severe SQL Injection vulnerability. This vulnerability allows an unauthenticated user to grab data from the victim’s website database, including sensitive More Info »

SQL Injection Vulnerability in Ninja Forms

As part of our regular research audits for our Sucuri Firewall, we discovered an SQL Injection vulnerability affecting the Ninja Forms plugin for WordPress, currently installed on 600,000+ websites. Vulnerability Disclosure Timeline: August 11th 9:35 am, 2016 – Initial report to the Ninja Forms team August 11th 2:49 pm, 2016 – Public release of version… More Info »

Drupal SQLi (Drupalgeddon) Attack Trend CVE-2014-3704 / SA-CORE-2014-005

It has been over 19 months since Drupalgeddon, which refers to Drupal’s Security Advisory (SA) SA-CORE-2014-005. For those unfamiliar with it, it was a highly critical SQL Injection (SQLi) vulnerability that allowed an attacker to arbitrarily execute SQL commands remotely, leading to potential privilege escalation issues and execution of PHP code on the server.  The vulnerability… More Info »

Joomla SQL Injection Attacks in the Wild

  Last week, the Joomla team released an update patching a serious vulnerability in Joomla 3.x. This vulnerability, an SQL injection (CVE-2015-7858), allows for an attacker to take over a vulnerable site with ease. We predicted that the attacks would start in the wild very soon, due to the popularity of the Joomla platform alongRead More Info »

Highly Critical SQL Injection Vulnerability Patched in Drupal Core

The Drupal team just released a security update for Drupal 7.x to address a highly critical SQL injection vulnerability. This bug can be exploited remotely by non-authenticated users and was classified as “Highly Critical” by the Drupal Security team. More information is available in their public advisory: Posted by Drupal Security Team on October 15, More Info »