'More than 1 million websites running the WordPress content management
system may be vulnerable to hacks that allow visitors to snatch
password data and secret keys out of databases, at least under certain
The vulnerability stems from a "severe" SQL injection bug in NextGEN
Gallery, a WordPress plugin with more than 1 million installations.
Until the flaw was recently fixed, NextGEN Gallery allowed input from
untrusted visitors to be included in WordPress-prepared SQL queries.
Under certain conditions, attackers can exploit the weakness to pipe
powerful commands to a Web server's backend database.'
Dept. of Computer Science
University of Waikato, NZ
+64 (7) 858-5174