As part of a vulnerability research project Sucuri, have been auditing multiple open source projects looking for security issues. While working on the WordPress plugin NextGEN Gallery, they discovered a severe SQL Injection vulnerability. This vulnerability allows an unauthenticated user to grab data from the victim’s website database, including sensitive user information.
This vulnerability can be exploited by attackers in at least two different scenarios:
- If you use a NextGEN Basic TagCloud Gallery on your site, or
- If you allow your users to submit posts to be reviewed (contributors).
This issue existed because NextGEN Gallery allowed improperly sanitized user input in a WordPress prepared SQL query; which is basically the same as adding user input inside a raw SQL query.
Using this attack vector, an attacker could leak hashed passwords and WordPress secret keys in certain configurations.
The golden rule is “never trust the input”. This leads to better security and safe customers.
In every scenario the developer must ask a few simple questions:
- Is this input safe enough?
- Is it sanitized?
- Do we follow any framework-specific rules and best practices?
WordPress uses the PHP vsprintf function in order to prepare SQL statements in $wpdb->prepare(); which means that the SQL statement uses a format string and the input values as its arguments.
The conclusion is that’s never a good idea to supply user input in the format string because it may not be sanitized against characters that could create valid arbitrary sprintf/printf directives.
More infos can you find here: SQL Injection Vulnerability in NextGEN Gallery for WordPress