Sucuri researchers just came across a serious vulnerability that affects WordPress website databases. More particularly, a WordPress gallery plugin with more than 1 million active installations has been found to have a severe SQL injection flaw.
The researchers say that:
While working on the WordPress plugin NextGEN Gallery, we discovered a severe SQL Injection vulnerability. This vulnerability allows an unauthenticated user to grab data from the victim’s website database, including sensitive user information.
Severe WordPress Plugin NextGEN Gallery Vulnerability Found
The flaw in question allows an unauthenticated user to harvest data from a targeted website database, sensitive user information included. Considering the seriousness of the issue, the flaw has been rated critical. Website admins who are using a vulnerable version of the plugin are urged to update it immediately.
According to Sucuri, the vulnerability can be exploited via two conditions: when an admin uses a NextGEN Basic TagCloud gallery, or when the website allows contributors to submit posts for review.
This vulnerability existed because NextGEN Gallery allowed improperly sanitized user input in a WordPress prepared SQL query. This is just like adding user input inside a raw SQL query. Relying on such an attack vector, a malicious actor could leak hashed passwords and WordPress secret keys in certain configurations, the company explained.
Furthermore, a malicious actor would simply need to take advantage of a $container_ids string in for the exploit to be triggered. This could be done either by modifying the NextGEN Basic TagCloud gallery URL or by using the tag gallery shortcode.
With this knowledge, an unauthenticated attacker could add extra sprintf/printf directives to the SQL query and use $wpdb->prepare’s behavior to add attacker-controlled code to the executed query.
Just last month, WordPress secretly fixed a serious zero-day bug. The bug allowed all pages on vulnerable websites to be modified. Also, visitors could have been redirected to malicious sites leading to more security-related complications. WordPress postponed the public announcement for a week and is now urging everyone involved to update.