WordPress Plugin NextGEN Gallery Vulnerable to SQL Injection Attack

The NextGen gallery has been plagued with a severe security flaw for the second time in consecutive years, and this time it is even worse.

A web security firm- Sucuri discovered that the NextGen gallery for WordPress (WP) is affected by a severe SQL injection vulnerability and attackers can access the targeted website’s database within minutes including all the sensitive data.

“This is quite a critical issue, If you are using a vulnerable version of this plugin, update as soon as possible!”

More: 10 Ways to Protect Your WordPress Site You Didn’t Know About

There are two possibilities from which the vulnerability can be exploited said Mr. Mihajloski. If a site uses this plugin and the users are allowed to submit posts, an attacker can exploit the issue by executing malicious code via shortcodes, while the other possibility is if a site uses the NextGen basic tag cloud gallery in which case it can be exploited by executing SQL queries by modifying the URL of the gallery.

Up till now, this vulnerability hasn’t been exploited, but with over 1 million active installs of the faulty version of this plugin, one can only assume that havoc can cause if this issue isn’t sorted quickly.

Also, this isn’t the first time that the NextGen plugin has been infected with a critical vulnerability. Last year the experts found out a remote code execution threat posing a massive security threat to the users.

Although this is a vulnerability in WordPress plugin, the CMS itself is not much secure either. Last month security researchers at Sucuri discovered a severe content injection vulnerability in WordPress that would let attackers edit content on the WP based website.

It must be noted that days after the vulnerability was exposed hackers defaced thousands of WP websites.

Simple solution:

In case, you are running NextGen gallery plugin on your website simply update it to the latest version.


DDoS attacks are increasing, calculate the cost and probability of a DDoS attack on your business with this DDoS Downtime Cost Calculator.

Uzair Amir

I am an Electronic Engineer, an Android Game Developer and a Tech writer. I am into music, snooker and my life motto is 'Do my best, so that I can't blame myself for anything.'