I got this notice from Wordfence about attacks blocked for ‘SQL Injection in query string’ in various NextGen galleries on our site. I’ve read articles saying that NextGen has addressed SQL Injection issues, but since this came up, I thought I’d ask about it. Is this something NextGen needs to fix?

This is just part of the notice, and the strings are not complete, but you get the idea:

The Wordfence Web Application Firewall has blocked 788 attacks over the last 10 minutes. Below is a sample of these recent attacks:
February 2, 2021 12:55pm  177.156.233.191 (Brazil)     Blocked for SQL Injection in query string: q=/more/about-humor-times/1847-humor-times-magazine-covers-gallery1111111111111" UNION SELECT CHAR(45,...
February 2, 2021 12:55pm  177.156.233.191 (Brazil)     Blocked for SQL Injection in query string: q=/cartoons/chuck-legge-cartoons99999" union select unhex(hex(version())) -- "x"="x
February 2, 2021 12:55pm  177.156.233.191 (Brazil)     Blocked for SQL Injection in query string: q=/cartoons/al-goodwyn" or (1,2)=(select*from(select name_const(CHAR(97,83,117,89,82,106,83,84,99),1),...
February 2, 2021 12:55pm  177.156.233.191 (Brazil)     Blocked for SQL Injection in query string: q=/cartoons/chuck-legge-cartoons' or (1,2)=(select*from(select name_const(CHAR(103,70,77,73,83,100,74,...