Description
The Contest Gallery – Upload & Vote Photos, Media, Sell with PayPal & Stripe plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 30.0.2 via the `RegistryUserRole` parameter. This is due to the plugin's admin menu being registered at the `edit_posts` capability level — granting Contributor-level users access to the plugin's admin pages and a valid `cg_admin` nonce — while the option-saving handler in `change-options-and-sizes.php` performs no `current_user_can()` capability check beyond `check_admin_referer('cg_admin')`, and the `RegistryUserRole` value is processed only through `sanitize_text_field()` and `htmlentities()` without restriction to an allowlist of permitted role names. This makes it possible for authenticated attackers, with author-level access and above, to overwrite the plugin's stored `RegistryUserRole` option with `administrator`, which the `cg_create_wp_user_from_google_user` function then reads back from the `contest_gal1ery_registry_and_login_options` database table without any allowlist validation and passes directly to `wp_update_user()`, effectively promoting a newly registered Google sign-in account to Administrator.
Published: 2026-06-17
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability allows an authenticated user with author-level access to overwrite a plugin configuration option, promoting a newly registered Google user account to an administrator. This flaw stems from improper privilege assignment: the plugin registers an admin menu at a lesser capability level, accepts a nonce without checking user capabilities, and accepts the role value without an allowlist. The consequence is that an attacker can gain full site administration rights, enabling arbitrary changes, data exfiltration, or further compromise.

Affected Systems

The affected product is the Contest Gallery – Upload & Vote Photos, Media, Sell with PayPal & Stripe plugin for WordPress. Versions up to and including 30.0.2 are vulnerable. WordPress sites running any of these plugin releases are at risk.

Risk and Exploitability

The CVSS score of 8.8 classifies the issue as High severity, yet the EPSS score of less than 1% indicates a very low probability of exploitation in the wild. The flaw is not currently listed in CISA’s KEV catalog, but it can be exploited by any authenticated user who can access the plugin’s admin pages. An attacker can submit crafted requests to the option-saving handler, change RegistryUserRole to "administrator", and have that value applied through a user creation routine, thereby achieving full site control.

Generated by OpenCVE AI on June 18, 2026 at 12:34 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Contest Gallery to the latest available version (greater than 30.0.2) once it includes a fix for the role validation flaw.
  • If an update is unavailable, disable or delete the Contest Gallery plugin to remove the attack surface.
  • Modify the plugin code or apply a custom patch to restrict the RegistryUserRole value to an allowlist of permitted roles before passing it to wp_update_user().

Generated by OpenCVE AI on June 18, 2026 at 12:34 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 17 Jun 2026 11:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Wed, 17 Jun 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Contest-gallery
Contest-gallery contest Gallery – Upload & Vote Photos, Media, Sell With Paypal & Stripe
Wordpress
Wordpress wordpress
Vendors & Products Contest-gallery
Contest-gallery contest Gallery – Upload & Vote Photos, Media, Sell With Paypal & Stripe
Wordpress
Wordpress wordpress

Wed, 17 Jun 2026 09:45:00 +0000

Type Values Removed Values Added
Description The Contest Gallery – Upload & Vote Photos, Media, Sell with PayPal & Stripe plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 30.0.2 via the `RegistryUserRole` parameter. This is due to the plugin's admin menu being registered at the `edit_posts` capability level — granting Contributor-level users access to the plugin's admin pages and a valid `cg_admin` nonce — while the option-saving handler in `change-options-and-sizes.php` performs no `current_user_can()` capability check beyond `check_admin_referer('cg_admin')`, and the `RegistryUserRole` value is processed only through `sanitize_text_field()` and `htmlentities()` without restriction to an allowlist of permitted role names. This makes it possible for authenticated attackers, with author-level access and above, to overwrite the plugin's stored `RegistryUserRole` option with `administrator`, which the `cg_create_wp_user_from_google_user` function then reads back from the `contest_gal1ery_registry_and_login_options` database table without any allowlist validation and passes directly to `wp_update_user()`, effectively promoting a newly registered Google sign-in account to Administrator.
Title Contest Gallery <= 30.0.2 - Authenticated (Author+) Privilege Escalation via 'RegistryUserRole' Parameter
Weaknesses CWE-269
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}


Subscriptions

Contest-gallery Contest Gallery – Upload & Vote Photos, Media, Sell With Paypal & Stripe
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-06-17T10:38:40.424Z

Reserved: 2026-06-12T19:34:12.938Z

Link: CVE-2026-12165

cve-icon Vulnrichment

Updated: 2026-06-17T10:38:37.541Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T12:45:03Z

Weaknesses
  • CWE-269

    Improper Privilege Management