Description
The Contest Gallery plugin for WordPress is vulnerable to SQL Injection via the 'form_input' parameter in versions up to, and including, 28.1.6. This is due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query inside the unauthenticated 'post_cg_gallery_form_upload' AJAX action (specifically the 'cb' branch of the included users-upload-check.php, where $f_input_id is concatenated unquoted into 'SELECT Field_Content FROM ... WHERE id = $f_input_id'). The endpoint is gated only by a public frontend nonce ('cg1l_action' / 'cg_nonce') that is exposed in the page source of any public gallery page. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Published: 2026-05-19
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Contest Gallery plugin for WordPress is vulnerable to SQL injection through the 'form_input' parameter in versions up to 28.1.6. The vulnerability exists because the plugin concatenates the user-supplied value directly into an SQL query inside the unauthenticated 'post_cg_gallery_form_upload' AJAX action, allowing attackers to inject arbitrary SQL. This flaw can lead to extraction of sensitive database contents by unauthenticated users with access to any public gallery page.

Affected Systems

All installations of Contest Gallery – Upload & Vote Photos, Media, Sell with PayPal & Stripe up to and including version 28.1.6 are affected.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity risk. EPSS is not available, so the likelihood of exploitation cannot be quantified but the public exposure of the nonce on gallery pages removes authentication barriers, making the attack vector straightforward. The vulnerability is not listed in the CISA KEV catalog. Attackers can craft a malicious 'form_input' value in a request to the 'post_cg_gallery_form_upload' AJAX endpoint, which is reachable through any public gallery page, enabling them to run arbitrary SQL and read or modify database data.

Generated by OpenCVE AI on May 19, 2026 at 13:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Contest Gallery plugin to the latest released version that contains the SQL injection fix.
  • If an update is not immediately available, remove or disable the 'post_cg_gallery_form_upload' AJAX endpoint—e.g., by disabling the plugin or removing the shortcode that triggers the vulnerable action.
  • Ensure that all user-supplied inputs, especially 'form_input', are properly sanitized or passed through prepared statements; review custom code that may interact with the plugin to eliminate similar injection points.

Generated by OpenCVE AI on May 19, 2026 at 13:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 19 May 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 19 May 2026 13:45:00 +0000

Type Values Removed Values Added
First Time appeared Contest-gallery
Contest-gallery contest Gallery – Upload & Vote Photos, Media, Sell With Paypal & Stripe
Wordpress
Wordpress wordpress
Vendors & Products Contest-gallery
Contest-gallery contest Gallery – Upload & Vote Photos, Media, Sell With Paypal & Stripe
Wordpress
Wordpress wordpress

Tue, 19 May 2026 12:30:00 +0000

Type Values Removed Values Added
Description The Contest Gallery plugin for WordPress is vulnerable to SQL Injection via the 'form_input' parameter in versions up to, and including, 28.1.6. This is due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query inside the unauthenticated 'post_cg_gallery_form_upload' AJAX action (specifically the 'cb' branch of the included users-upload-check.php, where $f_input_id is concatenated unquoted into 'SELECT Field_Content FROM ... WHERE id = $f_input_id'). The endpoint is gated only by a public frontend nonce ('cg1l_action' / 'cg_nonce') that is exposed in the page source of any public gallery page. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Title Contest Gallery <= 28.1.6 - Unauthenticated SQL Injection
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Contest-gallery Contest Gallery – Upload & Vote Photos, Media, Sell With Paypal & Stripe
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-05-19T16:34:12.615Z

Reserved: 2026-05-18T22:16:07.462Z

Link: CVE-2026-8912

cve-icon Vulnrichment

Updated: 2026-05-19T16:34:09.087Z

cve-icon NVD

Status : Deferred

Published: 2026-05-19T13:16:20.127

Modified: 2026-05-19T14:38:39.660

Link: CVE-2026-8912

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-19T13:30:05Z

Weaknesses