Description
Contributor SQL Injection in Contest Gallery <= 30.0.0 versions.
Published: 2026-06-26
Score: 8.5 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A SQL Injection flaw exists in the Contributor field of the WordPress Contest Gallery plugin versions ≤ 30.0.0. This vulnerability allows an attacker to inject arbitrary SQL statements, potentially exposing sensitive data stored in the WordPress database or causing unauthorized changes to application configuration. The weakness is designated CWE‑89 and could enable attackers to read or modify database contents if they can supply crafted input.

Affected Systems

The plugin developed by Wasiliy Strecker, named Contest Gallery, is affected. All releases up through version 30.0.0 are vulnerable; users running 30.0.0 or earlier should consider those at risk. Versions 30.0.1 and later are not affected as the issue has been fixed in the upgrade.

Risk and Exploitability

The CVSS base score of 8.5 categorizes this flaw as high severity. No EPSS data is available and the vulnerability is not listed in KEV. The attack vector is most likely Web via the Contributor form or related API endpoints, requiring only unauthenticated or low‑privileged access to execute SQL statements. Exploitation is straightforward with standard SQL injection techniques, and the lack of mitigations in the affected plugin means an attacker could readily obtain database contents without additional privileges.

Generated by OpenCVE AI on June 26, 2026 at 17:36 UTC.

Remediation

Vendor Solution

Update the WordPress Contest Gallery Plugin to the latest available version (at least 30.0.1).

OpenCVE Recommended Actions

  • Apply the latest WordPress Contest Gallery plugin version 30.0.1 or newer to remove the injection point.
  • Review and sanitize existing contributor entries, removing any that may contain malicious SQL payloads or unauthorized data.
  • Deploy a web application firewall rule or input‑validation filter that blocks SQL control characters on the Contributor field to prevent future exploitation.

Generated by OpenCVE AI on June 26, 2026 at 17:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Wasiliy Strecker
Wasiliy Strecker contest Gallery
Wordpress
Wordpress wordpress
Vendors & Products Wasiliy Strecker
Wasiliy Strecker contest Gallery
Wordpress
Wordpress wordpress

Fri, 26 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 26 Jun 2026 15:15:00 +0000

Type Values Removed Values Added
Description Contributor SQL Injection in Contest Gallery <= 30.0.0 versions.
Title WordPress Contest Gallery plugin <= 30.0.0 - SQL Injection vulnerability
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 8.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L'}

Subscriptions

Wasiliy Strecker Contest Gallery
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-26T16:35:43.127Z

Reserved: 2026-06-25T08:03:29.942Z

Link: CVE-2026-57662

cve-icon Vulnrichment

Updated: 2026-06-26T16:35:38.670Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T20:45:03Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')