A WordPress plugin installed on over one million sites has just fixed a severe SQL injection vulnerability that can allow attackers to steal data from a website’s database. The vulnerable plugin’s name is NextGEN Gallery, a plugin so successful that it has its own set of plugins. The vulnerability was discovered by web security firm Sucuri. Sucuri gave this vulnerability a score of 9 out of 10, mainly due to how easy was it to exploit the flaw, even for non-technical attackers. The plugin’s authors fixed this flaw in Nextgen Gallery 2.1.79.
Source: https://www.bleepingcomputer.com/news/security/severe-sql-injection-flaw-discovered-in-wordpress-plugin-with-over-1-million-installs/