This vulnerability is an improper neutralization of special elements that results in an SQL Injection flaw. Attackers can inject malicious SQL through the Contest Gallery plugin’s inputs, potentially gaining unauthorized access to or altering the database. The weakness is classified as CWE-89, indicating that it stems from a failure to properly escape or bind user-supplied data in SQL queries. The impact is the possibility of data exfiltration, modification, or in some cases, complete compromise of the application’s database, which could undermine site integrity and confidentiality.

WordPress sites that have the Contest Gallery plugin installed with a version matching the vulnerable range. The affected product is the Contest Gallery WordPress plugin, with all releases from unknown earlier versions up to and including 25.1.0 susceptible.

The CVSS base score of 7.6 places this flaw in the high severity band, reflecting a significant potential for damage. The EPSS score of less than 1% suggests that, at present, the likelihood of exploitation is low, and the flaw is not listed in the CISA KEV catalog, reducing the urgency compared to known exploited vulnerabilities. The most likely attack vector is an unauthenticated or lightly authenticated user sending crafted requests to the plugin’s endpoints that contain unsanitized input. If the application runs with a database user that has broad privileges, successful injection could lead to full database compromise.