<p>As part of a vulnerability research project for our Sucuri Firewall (WAF), we have been auditing multiple open source projects looking for security issues. While working on the WordPress plugin NextGEN Gallery, we discovered a severe SQL Injection vulnerability. This vulnerability allows an unauthenticated user to grab data from the victim’s website database, including sensitive user information.</p>
Are You at Risk?
This vulnerability can be exploited by attackers in at least two different scenarios:
- If you use a NextGEN Basic TagCloud Gallery on your site, or
- If you allow your users to submit posts to be reviewed (contributors).