eHost Recommended


SQL Injection Vulnerability Found in Wordpress Plugin

SQL Injection Vulnerability Found in WordPress Plugin

SQL Injection Vulnerability Found in WordPress Plugin

New SQL vulnerability found by Sucuria security researchers in NextGen Gallery of WordPress plugin. Security researchers was working on multiple open source projects for security issues and discover new Vulnerability.

There are two different scenarios.
1.If you are using a NextGen Basic TagCloud Gallery on your site.
2.If you are allowing users to submit posts to be reviewed.

According to SUCURIA the Vulnerability Work follows

Malicious user injects the following input into the format string/query:

Which will make the query look like this:

When passed to the prepare method, it will be changed to:

(e.g. %s will become ‘%s’)

And then, after the resulting format string passed through the vsprintf function, the resulting SQL query will have the following form:


This means we will have an extra  ‘ remaining. This breaks our string’s single-quote sequence and makes our raw [any_text2] input part of the SQL query itself.

The final attack payloads (using the TagCloud method) would look like the following:




What to do?

  • NextGen gallery patch version have updated to 2.1.79.

  • Immidiately update the plugin.


Post a Comment

Got questions? Ask ’em below! While we’re here, you might like to give any feedback about this Post, Your comment inspire us to continuous Improvement of This Blog and Contents. Your words are your own, so be nice and helpful if you can. Please, only use your REAL NAME, not your business name or keywords. Using business name or keywords instead of your real name will lead to the comment being deleted. Anonymous commenting is not allowed either. Limit the amount of links submitted in your comment. We accept clean XHTML in comments, but don't overdo it please.

Popular Posts


Blogger Seo How To Widgets apps Global News Games Android Tricks Tools Apk Internet Tips From Source Social Media Blogger Tips Blog Designs Adsense Personalization Others Blogging BLOGGING TIPS Posts css Comments Make Money Music-Audio Role Playing Tech News Adventure Facebook Image Effects jQuery Menus Photography Productivity Social Theme Racing Tech Tips Action Arcade Reviews Smart Phone Alexa Business GPS Launchers Maps Navigation Weather Windows featured Affiliate Blogger Tools Communication Domain Google Health-Fitness Infolinks Live Wallpapers Samsung Simulation Travel-Local Tutorial Utility world Affilate Media-Video OS Tech Plugin Strategy Themes blogger page money people wise founder Board Books-Reference Business Tycoon Card Cyber News Gadgets Google Search HTC Hosting JS Keywords Online Shopping Rapper Root Security Tech Facts Twitter WiFi billionaire entrepreneur goals iPad rich success Actor Alain Wertheimer Antivirus App Apple Arcade-Action CK Hutchison Holdings Camera Candy Crush Cracking Disqus Email Marketing Entertainment Exploits Extensions Game Gucci Mane Net Worth HTML Hackers Hacking House of Chanel Hutchison Whampoa Information Gathering JOB TIPS Joomla Kid Rock Net Worth Laurene Powell Jobs Laurene Powell Jobs Net Worth Li Ka-shing Li Ka-shing Net Worth Lifestyle Mobile Hacking Nepal Office PHP Payoneer Personalisation Producer Puzzle Releted Posts Review Scripts Singer Steve Jobs Template Video Players-Editors Virtual Card Vulnerability Web Development Web Hosting Website Hacking Website Security Zero Day bill gates chanel company dreams drug dubai eCommerce first million gucci mane 2015 net worth gucci mane net worth 2015 gucci mane networth health how much money is gucci mane worth iPhone instagram investor kid rock net worth 2015 kid rock net worth 2016 kid rock networth kid rocks net worth l Marketing lana rose life luxury millionaire mo vlogs modafinil motivation slideshows star wealth youtube

Blog Archive