NextGEN Gallery For WordPress SQL Injection Vulnerability

Have you found yourself the target of SQL malicious code injection in Wordpress? Are you using the NextGEN Gallery plugin for WordPress? Read on to find out how to respond and remove this threat.

As part of my quest to finding a fix for each and every WordPress vulnerability that crops up, I find myself sliding down the side of an icy and sheer rock face. Once I write about one fix, ten more crop up. But knowing I can help just one person means the world to me, I feel like a superhero without the cape, the powers… but at least the shared knowledge powers me to continue onward. 

So, without further ado. You find that there is something wrong with your WordPress, your data seems to have been leaked and is now hosted on a PasteBin site. How on earth did this happen? What exactly is this issue and how do you not only spot it, but also how do you remove it so this issue does not happen again?

It recently came to light that there was a vulnerability in NextGEN Gallery, a very popular (and honestly brilliant) WordPress gallery plugin that allowed for a malicious SQL injection, this in turn allows the hacker to access, retrieve leak hashed passwords, and WordPress secret keys. Put bluntly this vulnerability within NextGEN Gallery allows an unauthorised user to pilfer data from a WordPress site, including sensitive user information. 

So, How Does This Affect you?

Well first of all, you need to be using NextGEN Gallery, so if you’re not. Off you go.

This vulnerability can be exploited in two specific situations:

  • You are using NextGEN Basic TagCloud Gallery on your site.
  • You allow Contributers to submit posts/comments to be reviewed.

If you tick any of the above criteria, you are at risk.

This problem exists because of an issue with NextGEN Gallery, where it allows user input in a WordPress prepared SQL query. This is the same as adding the ability for user input in a raw SQL query. In laymans-terms, this means that even a user without admin permissions could go rogue, using this attack vector to leak hashed passwords and WordPress secret keys. That means not only does the hacker unearth your passwords, but they also gain your WordPress secret keys.

Trusting The Input… Don’t

You have to be vigilant when it comes to levels of trust in the input. Maintaining this mantra ensures that your customers have better security and remain safe when using your Wordpress site. When considering your input, you always have to ask yourself the same questions.

  • Is the input safe and secure?
  • Has the input been checked and sanitised?
  • Do you follow framework rules and best-practices?

WordPress uses a PHP vsprintf function to prepare SQL statements in $wpdb->prepare(); this means that the SQL string uses a format string and input values as its arguments. This lets us know that it’s never a good idea to supply user input in the format string as it may not be sanitised (read: protected) against characters that can exploit it to create valid sprint/printf directives. Simply put, someone with the knowledge can use a simple SQL injection to exploit this loophole and gain access they otherwise shouldn’t be able to through the unsanitised (and unprotected) input.

Looking at the source code for this, you will find the issue is focused on the $container_ids, this string is tag input created and therefore its values are usually not properly sanitised. Whilst safe from SQL injection, it wouldn’t prevent arbitrary format string directives/input from being inserted by a hacker. Doing this may well cause issues with the WordPress database abstraction prepare() method.

Now this may seem rather complicated, but looking at the prepare methods code, you will notice a few changes in the original SQL code. When %s is entered it is replaced as ‘%s’. When these changes are made they pass to the vsprintf function, which means that any valid directory strings we have inserted will be implemented. If you have looked into PHP sprintf function documentation, you will know that ‘swapping arguments’ (directive and code switching) can take place. When improperly sanitised inputs are added to a format string, it opens you up to a wealth of issues.

So How Does The Exploit Work?

Looking at the short code of this particular WordPress plugin, there are two places where the function, that creates the $container_ids string necessary to get the exploit working, exist.

Using the tag gallery shortcode, which requires a privileged and authenticated user to perform this attack.

When accessing tags from the NextGEN Basic TagCloud gallery. Hackers can do this by  modifying the gallery’s URL just a little.

With the knowledge and the ability to do this, a hacker could add additional sprintf/printf directives to the SQL query and use the previously mentioned $wpdb->prepare behaviour to add a malicious  code to the controlled query.

How Will I Know About This? I May Need More Help.

I know what you may be thinking from reading all of the above… it is a lot to take in. But fortunately we have professionals who can help you with not only the above security issue, but plenty of others.

If you want to be alerted to such issues, you need to install an exploit scanner which will scan your files, folders and database for issues such as the one I have been discussing. Also you need to make sure you are continuously updating your software and all of your WordPress plugins.

If your WordPress has been hacked as result of this vulnerability, I would recommend that you take the following steps: 

  1. Download our simple easy to use (really!) exploit scanner from 
  2. Upload this scanner to your Wordpress, it works just like utilising any of your other plugins. Upload and activate. That is all! 
  3. Let us do all the work, by scanning all of your Wordpress files. 
  4. We tell you which files are corrupted and could be further exploited by hackers. Providing you with a solution to any exploitative issues you may have. Helping you to clean these up quickly and efficiently, and advising of any more changes wherever necessary.

Should you find that any of your files have been corrupted or exploited as result of this vulnerability and are unsure of what to do next. Contact Us and Hire an Expert to help resolve the issues you may have, you can then get back to doing what you do best and providing more content for your Wordpress site or business. 

Until next time.

Try FixHacked for free for one month

Try our free scanner!

Hire an Expert

I need an Expert


Chat with us and find out what you need to know!

Start livechat