The H-T Team made some new exploits public which affect following Plugins by Fredik Fahlstad fGallery 2.4.1 and WP-Cal 0.3, both are vulnerable against Remote SQL Injection. It is likely that earlier versions are affected.

Within the WP-Cal Plugin, the File editevent.php is vulnerable for this attack, because of improper sanitisation of the id parameter. Within the fGallery Plugin the File fim_rss.php is vulnerable to this attack, the parameter album isn’t properly sanitized as well.

PoCs are available on Milw0rm here and there.

To fix these vulnerabilites you have to change the following lines For WP-Cal:
$id = $_GET['id'];
$event = $wpdb->get_row("SELECT * FROM $table WHERE id = $id");
To
$id = intval($_GET[’id’]);
$event = $wpdb->get_row(”SELECT * FROM $table WHERE id = $id”);

And for fGallery:
$cat = $wpdb->get_row("SELECT * FROM $cats WHERE id = $_GET[album]");
$images = $wpdb->get_results("SELECT * FROM $imgs WHERE cat = $_GET[album] AND status = 'include'");

To
$cat = $wpdb->get_row("SELECT * FROM $cats WHERE id = intval($_GET[album])“);
$images = $wpdb->get_results(”SELECT * FROM $imgs WHERE cat = intval($_GET[album]) AND status = ‘include’”);
More changes may be needed, to fix the vulnerability at all.

Currently we’re not aware of any official fixes for these holes.