Today's release contains a couple fixes to the plugin, including a minor security update, better ZIP upload handling and other image upload adjustments.
Here at Photocrati/NextGEN Gallery we take security extremely seriously. If you believe you see a potential security vulnerability please get in touch with us immediately.
As you can see, we are extremely fast at fixing any security issues, as fast as humanly possible.
We strongly recommend updating NextGEN Gallery using the auto updater.
Backup Before Upgrading
Please consider backing up your site (both server files & MySQL Database) whenever updating plugins. Here are some backup recommendations.
Instructions
Download NextGEN Gallery from WordPress.org or visit the Plugin page in your WordPress admin area to utilize the auto-update feature.
Changes in 2.1.15:
- Secured: Image uploads
- Fixed: Don't use esc_attr_e() to prevent translation issues
- Fixed: Ensure that deleting a gallery doesn't delete anything it shouldn't
- Fixed: get_gallery_abspath() should return NULL if the path doesn't exist
For the history of changes, view the full changelog.
Jack
11 Sep 2015Hi Scott,
Good to see that NG is actively being developed 🙂
About the security, I remember mailing about the fact that the original sized images can be downloaded by anyone knowing the path to the images (and anyone using NG does). Was that fixed already? I’m working on the e-commerce part of my site now and need to know this.
Scott
11 Sep 2015Original backups cannot be downloaded even if the URL is present due to .htaccess blocks. However, the front end displayed can be downloaded with the URL as there is no true way to block that and still have the images public. If you have thoughts on that please email the support team with them.
Jack
12 Sep 2015The smaller versions on the front end is no problem. We want visitors to be able to see the images 🙂 If the larger images are blocked that’s fine :).