Zero Day SQL Injection Vulnerability in WordPress Video Gallery

Update 2 on Feb 24th: A new version of this plugin has been released. We’ve run a penetration test on the plugin and the ‘vid’ parameter is no longer exploitable. We tested several other parameters and it appears at this point that the original security issue has been resolved.

Update @9:45PM PST: About an hour before posting this we alerted the official WP repository admins about this issue. Looks like they have now yanked the affected plugin until the vulnerability is fixed, so the link below to the plugin will be a dead link until the author fixes the issue.

There is currently a zero day SQL injection vulnerability in the WordPress Video Gallery plugin. Our researchers are seeing exploits in the wild for this and the exploits claim the vendor has been notified on the 9th of February.

The plugin still has not been updated by the vendor. Because this is being exploited actively and the vendor has been notified, we are now publicly disclosing the existence of this vulnerability.

The vulnerability allows an attacker to download all databases that your WordPress system has access to. We have verified this in our lab by exploiting one of our internal systems with the newest version of this plugin installed.

At this time we recommend you disable and remove the plugin code immediately to close the security hole. When the vendor releases a security fix you can consider reinstalling this plugin.

Note: In our testing, disabling this plugin does appear to remove the ability to exploit this vulnerability. However we recommend that just to be safe, you also delete this plugin’s code.

A ‘googledork’ is also available in the exploit which allows attackers to use Google to find sites which suffer from this vulnerability in order to exploit them.

Please share/tweet/mail this to your fellow WordPress administrators to help create awareness about this serious issue.

Did you enjoy this post? Share it!

Comments

4 Comments
  • Fantastic work. Well done on detecting this as vanguards of the WordPress community. Hopefully others aren't affected catastrophically.

  • Looks like a new version was added back into the repo that fixes this issue (the patch follows the recommendation given in the exploit-db post); but, given the quality of the code and how severely it ignores WP style guides, perhaps users should reconsider using it at all.

  • Hi,

    Thanks for the information. Seems the Vulnerability issues with the Video Gallery Plugin has been fixed and updated, so you upgrade the plugin remove the hole. The fixed package is available to download from following link https://wordpress.org/plugins/contus-video-gallery/.

  • I appreciated the notification Wordfence provided via email and on your blog. I took quick action. I know that I can count on WF for future security alerts. I can't wait until I have some cash to upgrade my WF tools as you are worthy of support!! THANKS.....please see following updates from author.

    Author / member [ https://profiles.wordpress.org/hdflvplayer/ ] advises that this is fixed. Does Wordfence have any further advice? Following is text from author's team:

    https://wordpress.org/support/topic/zero-day-sql-injection-vulnerability-in-wordpress-video-gallery?replies=2#post-6609658

    The Vulnerability issues posted with the plugin has been fixed already and the updated plugin is up now and ready to download. You could check the change log for more details. The plugin is now free from these issues, and you can download once again for free. Please use the following link https://wordpress.org/plugins/contus-video-gallery/ to download the fixed package.

    Thanks
    Apptha Team