Zero Day SQL Injection Vulnerability in WordPress Video Gallery
Update 2 on Feb 24th: A new version of this plugin has been released. We’ve run a penetration test on the plugin and the ‘vid’ parameter is no longer exploitable. We tested several other parameters and it appears at this point that the original security issue has been resolved.
Update @9:45PM PST: About an hour before posting this we alerted the official WP repository admins about this issue. Looks like they have now yanked the affected plugin until the vulnerability is fixed, so the link below to the plugin will be a dead link until the author fixes the issue.
There is currently a zero day SQL injection vulnerability in the WordPress Video Gallery plugin. Our researchers are seeing exploits in the wild for this and the exploits claim the vendor has been notified on the 9th of February.
The plugin still has not been updated by the vendor. Because this is being exploited actively and the vendor has been notified, we are now publicly disclosing the existence of this vulnerability.
The vulnerability allows an attacker to download all databases that your WordPress system has access to. We have verified this in our lab by exploiting one of our internal systems with the newest version of this plugin installed.
At this time we recommend you disable and remove the plugin code immediately to close the security hole. When the vendor releases a security fix you can consider reinstalling this plugin.
Note: In our testing, disabling this plugin does appear to remove the ability to exploit this vulnerability. However we recommend that just to be safe, you also delete this plugin’s code.
A ‘googledork’ is also available in the exploit which allows attackers to use Google to find sites which suffer from this vulnerability in order to exploit them.
Please share/tweet/mail this to your fellow WordPress administrators to help create awareness about this serious issue.