NextGEN Gallery Plugin – Security Alert!

SUCURI, a leading WordPress security company, announced their finding of an SQL injection vulnerability in the popular NextGEN Gallery plugin.

This vulnerability can be exploited by attackers in at least two different scenarios:

1. If you use a NextGEN Basic TagCloud Gallery on your site.

2. If you allow your users to submit posts to be reviewed (contributors).

If you fit into any of these two cases, you’re definitely at risk.

This issue existed because NextGEN Gallery allowed improperly sanitized user input in a WordPress prepared SQL query; which is basically the same as adding user input inside a raw SQL query. Using this attack vector, an attacker could leak hashed passwords and WordPress secret keys in certain configurations.

SUCURI advises updating to the latest version of the NextGEN Gallery plugin now.

You can read more about the SQL injection vulnerability on the SUCURI Blog.


At Current Media Group we take security very seriously. With our Managed WordPress Hosting, we make sure that our client’s websites are backed up daily, and protected with multiple firewalls throughout our enterprise-grade infrastructure. Our real-time security threat detection, and security audits and code reviews help to keep client’s sites safe. Should a website become compromised, we will immediately take action to find the exploit, remove the malicious code, and have the site back up and running in no time.