Impact
Unauthenticated SQL injection exists in WordPress Contest Gallery plugin versions up to 28.1.6, allowing an attacker to construct arbitrary SQL statements against the database. This can result in reading, modifying, or deleting sensitive data and potentially providing a foothold for further attacks on the website or underlying server. The flaw is categorized as CWE‑89 (SQL Injection).
Affected Systems
The vulnerability affects the WordPress Contest Gallery plugin developed by Wasiliy Strecker, specifically all releases version 28.1.6 and earlier.
Risk and Exploitability
The CVSS score of 9.3 indicates an extremely high severity, and an EPSS score of less than 1% suggests a low current exploitation probability. The issue is not listed in the CISA KEV catalog. The likely attack vector is any unauthenticated user who can send a crafted request to the plugin’s input endpoints; this inference is drawn from the description of unauthenticated SQL injection, implying remote web-based exploitation that could provide direct database access.
OpenCVE Enrichment