Support » Requests and Feedback » XSS Vulnerability in NextGEN Gallery WordPress Plugin

Viewing 4 replies - 1 through 4 (of 4 total)
  • Paulio51


    Is it me or does it say that version 1.5.2 is non-vulnerable?

    Can you recreate the vulnerability with the latest version?

    Here is also the Report Timeline which states that Alex Rabe has fixed it.

    9. Report Timeline

    * 2010-03-25: Core Security Technologies notifies Alex Rabe of the vulnerability, offering a draft for this advisory in plaintext or encrypted form (if proper keys are sent). April 5th, 2010, is proposed as a release date.

    * 2010-03-25: Alex Rabe acknowledges Core Security Technologies’s e-mail, and asks for the advisory draft in plain text.

    * 2010-03-25: Core Security Technologies sends the advisory draft to Alex Rabe.

    * 2010-03-25: Alex Rabe acknowledges the vulneravility, confirms it for NextGEN Gallery 1.5.0 and 1.5.1, and informs than 1.5.2 (due to be released on March 26th) will contain a fix.

    * 2010-03-26: NextGEN Gallery 1.5.2 is released.

    * 2010-04-06: Advisory CORE-2010-0323 is published.

    Samuel B


    NextGEN has a hole in it. When will it be fixed?

    this was dealt with quite a while back

    Alex Rabe


    Please read better the text, fixed since 1.5.2 :

    Sorry for the lack of due diligence on that one. I was in the midst of cleaning up after a nasty cretin hacked about 30 of my WP sites which I had to clean up ASAP. (johnnyA ring a bell?) Had to basically strip and rebuild all of them myself, and it got a little frantic and chaotic. I posted this in the midst of that.

    Note to self – a developer who suggests that we disable core and plugin notifications so the clients don’t see the alert is actually wrong, regardless of him having more experience than myself.

    Moral of the story, Up to date = good. Out of date = bad. Hunches = Often correct.

    Thank you for taking the time to respond to my post.
    I truly appreciate it.

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘XSS Vulnerability in NextGEN Gallery WordPress Plugin’ is closed to new replies.