WordPress GRAND Flash Album Gallery plug-in 'gid' parameter SQL Injection Vulnerability
Release date:
Updated on:
Affected Systems:
WordPress GRAND FlAGallery Plugin 2.x
Description:
--------------------------------------------------------------------------------
Bugtraq id: 59732
GRAND Flash Album Gallery is a plug-in for photo libraries, video libraries, music albums, and Ad carousel, and allows you to manage media content.
GRAND Flash Album Gallery 2.55 does not properly filter the "gid" parameter value of the "[flagallery]" tag in the post, which is used in SQL queries. Attackers inject arbitrary SQL code to control SQL queries.
<* Source: vendor
Link: http://secunia.com/advisories/53356/
*>
Suggestion:
--------------------------------------------------------------------------------
Vendor patch:
WordPress ---------
The vendor has released a patch to fix this security problem. Please download it from the vendor's homepage:
Http://wordpress.org/extend/plugins/flash-album-gallery/changelog/