I am running version 1.9.6 of NGG with WP 3.4.2. I am looking at my WP_OPTIONS table in MYSQL and see a huge amount of names and websites inside the “option_value” field in WP_OPTIONS. This entry is actually quite large.
This is all showing up in a row with option_name = ‘_transient_ngg_request_b3ba86fd0f2ae10ebb35517da90952a7’.
Matter of fact, there is a link to a place called haveagraceday.org which has been listed in Google’s list of malware sites among all the names and URL’s listed in that record in the WP_OPTIONS table.
OK – I have this entry in my WordPress database and would like to ask a few questions:
1. What exactly is this entry in WP_OPTIONS for?
2. How come there are so many links with so many names in my database? What is the purpose of listing all this stuff? Given there is a link there that is associated with a malware site, I am concerned.
3. Last but most important: is this entry in WP_OPTIONS necessary for the plugin to work properly?
If this is not an NGG related record that is fine, please just let me know. But given the key to the row has “transient_ngg_request”, I thought this would be the appropriate place to ask.
Sure look forward to a prompt reply regarding these questions –
I’d like to second bowtie6 on what he has said. I have had the same problem as well on my WordPress site running NextGen Gallery and this has triggered one of my security plugins to detect malicious sites in the database (in this case, haveagraceday.org). I found out this was listed in an entry named “_transient_ngg_request_b3ba86fd0f2ae10ebb35517da90952a7” inside “wp_options”.
I have cleared the links within the entry, which has removed the errors. However, I’m not sure if this comes as a build in NextGen or if it is my site after I got hacked last month.
I don’t think this is an issue with your site getting hacked. I think it is an issue with NextGen Gallery. For some reason, this extra “stuff” is making its way into our databases and nothing is done about it. I had no idea of all this until my scanner plugin told me that haveagraceday.org was a malware site.
If anyone has any doubt about it then read what Google has to say:
I was hoping by now someone from NGG would have had something to add to this. Perhaps they don’t realize this is indeed a security issue…
I think this is a security issue, for the past few weeks my firewall has been sending me anonymous emails at a rate of 200 per minute.
I’ll email the developers and ask them if they know about this, yet I can’t trust this plugin if there is a security issue! I’ve put my site offline for now whilst I see what they say.
Looks like you and I are the only ones with this issue…
I have tried to contact NextGen directly. They have not replied. I also find it a little sad that they have not replied here.
Sure wish they would since this is a legit concern.
I’ve found the same thing in my database. I may have to disable this plugin.
I’ve got through to Photocrati, and they should be investigating this. They have said it seems like my site was hacked, so this could be a backdoor into the system.
May be worth you guys checking you haven’t had any files added to your directory (hacked)?
Hacks are usually site specific. If you have concrete evidence of a security issue within any plugin, then please contact the plugin’s developer(s) directly. Do not post details on any public forum.
I’ve contacted the developers, they should be getting back soon, but I’m not going to post specific details here!
I have sent a very detailed message to Photocrati via their support page. I included the information I listed here PLUS more. I was able to find something else that as esmi said is not suitable to post here. HOWEVER, the good folks at Photocrati have not replied back with any information and/or comments.
I sent the information to Photocrati before I posted any information here. PLUS, what I found is conclusive evidence the problem is on their side not yours. So Carmichaelalonso if they try to blame this on your website being hacked that is not true.
Carmachaelalonso if you are able to send them an email and let them know about the information I left, that would help them figure this out.
There is certainly MORE to this.
Yep, I told him you guys were having a similar problem and you have not been hacked.
If I get another response I will include more info (what the field contains, etc.). If I get no response, then I’ll stop using NextGen, as it will be unreliable.
Bowtie6: I’ll stop using the plugin if there are problems, and I think you will too! Let me know if there is anything I can send them but if you want to email them directly try this address ( nextgen [AT] photocrati [dot] com). They may be more likely to reply to that (I’m guessing you’ve used the contact form).
Thank you carmichaelalonso. I will try to contact them directly with that info you gave me. I prepared a lengthy description of what I was able to find out.
Just so you know: I did go into my production wordpress database and I did run an update statement against the row with the invalid address on it. Basically I removed the entire section that had that website URL. I have not seen any adverse behaviour, although that was just a couple of days ago.
Hopefully they will reply back to us soon.
Thanks for bring this to our attention. To explain what’s happening here, NextGEN used to download a list of donors from Alex Rabe’s site (the original NextGEN developer). This list was display a Donor’s list on the Overview page in wp-admin.
Each time that page was loaded, the list returned was cached as a transient in the user’s database. The list is a key/value pair of the donator’s name and their website. The donor’s website wasn’t published on the user’s front-end at all – it was just used to populate the Donors list on the Overview page in wp-admin.
So, it isn’t really a vulnerability. And it’s not related to any hacks, via NextGEN or otherwise.
When we acquired NextGEN, in one of our first updates, we removed the donors list from the Overview page. However, the transients are still in the database from the last time that page was loaded in the pre-Photocrati era. It’s just now coming to attention because one of the donor websites, haveagraceday.org, was hacked.
This shouldn’t have any negative effect on your sites, though it may show up in any plugins/software used to find potential issues / spam because of the hacked site.
In our next update, we’ll be sure that any of these transients are cleaned up during the update process.
Unfortunately, there’s not much we can do in the meantime. If you’d like to delete the transients yourself, you can do so manually. The easiest way to do so is to install two plugins, Debug Bar and Debug Bar Transients. If these are installed, you can click the the “Debug” menu in the Admin Bar, and from there opt to delete the NextGEN transients.
Let us know if you have other questions or concerns, don’t hesitate to let us know.
Thanks and best,
This is awesome. Thank you very much for the detailed reply.
I actually updated the row in my database and basically nulled out the “option_value” field in WP_OPTIONS. The row is still there, but with no data in the field.
Also – did you get my documentation I entered on your support site? There was something there I think you need to be aware of. If you did NOT, please let me know and we can figure out how you want me to send you what I found.
Once again – thanks!
I’d like to second bowtie6 again. Thanks very much Erick!
I’ll unsuspend my site now that there is no vulnerability. I’ve also removed the transient field data, so it should be safe now.
It’s good to know that there is an active support team that listens to the users!
- The topic ‘[Plugin: NextGEN Gallery] _transient_ngg_request entry in WP_OPTIONS…’ is closed to new replies.