back to article WordPress photo plugin opens 'a million sites' to SQLi database feasting

A critical flaw has been found in the third-party WordPress NextGEN Gallery plugin that is, according to wordpress.org, actively used by more than a million websites. If you're using this plugin, patch now to version 2.1.79 or greater. If you're a cyber-scamp, well, here's a surefire way to compromise a lot of tardy sites. The …

  1. Donn Bly

    Paying Users?

    Paying users of Wordpress? Surely you jest.

    1. Pomgolian
      FAIL

      Re: Paying Users?

      Unfortunately, no. While the wordpress core may be free, a number of plugins are not, and more often than not the user forgets to renew their licence or support or the "developer" who built the site has wandered off somewhere, leaving a dangerously insecure plugin in place with no easy update path. Sometimes these plugins are "recommended" by the latest and greatest theme and thus it's a downward spiral. Revslider was an example from a couple of years back, Gravity Forms being another more recent one. The lack of a core file upload facility and thus the implementation of this function in every godamn plugin out there is the major reason for the crap happening.

      1. John Brown (no body) Silver badge
        Mushroom

        Re: Paying Users?

        "The lack of a core file upload facility and thus the implementation of this function in every godamn plugin out there is the major reason for the crap happening."

        Isn't it time Wordpress was nuked from orbit and went the same way as Adobe Flash? Oh, wait....

    2. This post has been deleted by its author

  2. Drew 11

    Along with lazy plug-in devs who attach unneeded CSS and JS files, leading to wordpress websites that download sometimes 100 or more .css and .js files full of unused code.

    Which is why people have to go out and get a faster computer or more RAM just to get a website to function half-pie decently.

    But don't get me started. The entire WordPress system is a dog's breakfast.

    1. Pomgolian
      Alert

      >The entire WordPress system is a dog's breakfast.

      Feeding Wordpress to your dog would be considered animal cruelty and warrant a visit from the SPCA.

  3. Alan J. Wylie

    Lots more WordPress plugin vulnerabilities disclosed yesterday

    At the Summer of Pwnage site: https://sumofpwn.nl/advisories.html

    1. Anonymous Coward
      Anonymous Coward

      Re: Lots more WordPress plugin vulnerabilities disclosed yesterday

      Thanks for that - it appears I have none of the vulnerable ones installed.

      That said, I deliberately keep WP sites as bare as I can make them - even Themes can be a risk.

      I am wondering why I get so many attempts to reach "/integration" - can't seem to find what security problem that is trying to abuse (it's clearly not working if it shows up in the 404 log :) ).

      1. Anonymous Coward
        Anonymous Coward

        Re: Lots more WordPress plugin vulnerabilities disclosed yesterday

        I'm convinced there's a longstanding SQLi hole in Wordpress itself.

  4. Tom Paine Silver badge
    Coat

    WordPress?

    TURDPress, more like.

    Mine's the one with the handrolled Perl-based CMS in the inside pocket.

  5. No Quarter

    It would be easier if the Register would report when they find Wordpress plug-ins that are not vulnerable.

    1. Anonymous Coward
      Anonymous Coward

      I think they do. I mean, they would if they could find one.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019