Severity by source
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
Remote unauthenticated SQLi (AV:N/AC:L/PR:N/UI:N); high confidentiality from data exfiltration, limited integrity via injected SQL, no availability impact, scope unchanged within WordPress DB context.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
Lifecycle Timeline
1DescriptionCVE.org
Unauthenticated SQL Injection in Contest Gallery <= 28.1.6 versions.
AnalysisAI
Unauthenticated SQL injection in the Contest Gallery WordPress plugin (versions ≤28.1.6) allows remote attackers to inject arbitrary SQL into backend database queries without credentials or user interaction. The flaw was disclosed by Patchstack and tracked as EUVD-2026-36980; no public exploit identified at time of analysis, but the CVSS 9.3 score and PR:N attack vector make it a high-priority issue for any WordPress site running the plugin.
Technical ContextAI
Contest Gallery is a third-party WordPress plugin (CPE vendor 'wasiliy_strecker') used to run photo and media contests on WordPress sites. The root cause is CWE-89 (Improper Neutralization of Special Elements used in an SQL Command), meaning user-controllable input is concatenated into SQL statements executed against the WordPress MySQL/MariaDB database without proper parameterization or sanitization. Because WordPress plugins execute within the same database context as the core CMS, an injection in a plugin endpoint typically reaches the entire wp_* schema, including users, options, and posts tables.
RemediationAI
No vendor-released patch identified at time of analysis - the only reference points to the Patchstack advisory and does not cite a fixed version, so administrators should monitor https://patchstack.com/database/wordpress/plugin/contest-gallery/vulnerability/wordpress-contest-gallery-plugin-28-1-6-sql-injection-vulnerability and the plugin's wordpress.org page for a release above 28.1.6. Until a fixed version is published, the safest compensating control is to deactivate and remove the Contest Gallery plugin (side effect: any active contests, submission forms, and gallery shortcodes will stop rendering); if removal is not acceptable, place the affected plugin endpoints behind a WAF with SQLi signatures or restrict the contest-gallery URL paths to authenticated administrators via .htaccess or an access-control plugin (side effect: legitimate public contest submissions will be blocked). Subscribing to Patchstack's virtual patching feed is a reasonable interim control if available.
More in Contest Gallery
View allThe Contest Gallery WordPress plugin before 13.1.0.6 does not have capability checks and does not sanitise or escape the
The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape
The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape
The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape
The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape
The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape
The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape
The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape
The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape
The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape
The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape
The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36980
GHSA-w97c-mw8g-gjf8