Researchers find “severe” flaw in WordPress plugin with 1 million installs

by
Dan Goodin
from Ars Technica - All content on (#2E908)

More than 1 million websites running the WordPress content management system may be vulnerable to hacks that allow visitors to snatch password data and secret keys out of databases, at least under certain conditions.

The vulnerability stems from a "severe" SQL injection bug in NextGEN Gallery, a WordPress plugin with more than 1 million installations. Until the flaw was recently fixed, NextGEN Gallery allowed input from untrusted visitors to be included in WordPress-prepared SQL queries. Under certain conditions, attackers can exploit the weakness to pipe powerful commands to a Web server's backend database.

"This is quite a critical issue," Slavco Mihajloski, a researcher with Web security firm Sucuri, wrote in a blog post published Monday. "If you're using a vulnerable version of this plugin, update as soon as possible."

Read 5 remaining paragraphs | Comments

index?i=ndOueKTY1E0:-PogiIfCxuc:V_sGLiPB index?i=ndOueKTY1E0:-PogiIfCxuc:F7zBnMyn index?d=qj6IDK7rITs index?d=yIl2AUoC8zA
External Content
Source RSS or Atom Feed
Feed Location http://feeds.arstechnica.com/arstechnica/index
Feed Title Ars Technica - All content
Feed Link https://arstechnica.com/
Reply 0 comments