Skip to main content

Contest Gallery

36 CVEs product

Monthly

CVE-2026-42660 MEDIUM This Month

Sensitive data exposure in the Contest Gallery WordPress plugin (versions <= 28.1.7) allows authenticated subscribers to access confidential information they are not authorized to view. The vulnerability stems from insufficient access control over data retrieval endpoints within the plugin, permitting low-privileged WordPress users to read sensitive data with high confidentiality impact. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog, but the low complexity and remote exploitability make it a credible risk for WordPress sites with open subscriber registration.

Information Disclosure Contest Gallery
NVD
CVSS 3.1
6.5
EPSS
0.3%
CVE-2026-42657 MEDIUM This Month

Unauthenticated integrity-impacting input validation failure in the Contest Gallery WordPress plugin affects all versions up to and including 28.1.7, allowing network-accessible attackers with no privileges to perform unauthorized write-class operations against the plugin. The CVSS vector confirms the unauthenticated, low-complexity attack path (AV:N/AC:L/PR:N/UI:N) with low integrity impact and unchanged scope. No public exploit code and no CISA KEV listing have been identified at time of analysis, placing this in a monitor-and-patch posture rather than emergency response.

Information Disclosure Contest Gallery
NVD
CVSS 3.1
5.3
EPSS
0.2%
CVE-2026-42656 MEDIUM This Month

Cross-site scripting in the Contest Gallery WordPress plugin (versions <= 28.1.6) can be triggered by a subscriber-level authenticated user, injecting malicious scripts that execute in the browsers of higher-privileged users such as administrators. The CVSS Scope:Changed metric confirms the payload escapes the subscriber's privilege boundary and impacts other user sessions. No public exploit code or CISA KEV listing has been identified at time of analysis, but the low attack complexity and broad WordPress ecosystem deployment surface make this a meaningful risk for any site accepting subscriber registrations.

XSS Contest Gallery
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-40771 CRITICAL Act Now

Unauthenticated SQL injection in the Contest Gallery WordPress plugin (versions ≤28.1.6) allows remote attackers to inject arbitrary SQL into backend database queries without credentials or user interaction. The flaw was disclosed by Patchstack and tracked as EUVD-2026-36980; no public exploit identified at time of analysis, but the CVSS 9.3 score and PR:N attack vector make it a high-priority issue for any WordPress site running the plugin.

SQLi Contest Gallery
NVD
CVSS 3.1
9.3
EPSS
0.3%
CVE-2026-25035 CRITICAL Act Now

Contest Gallery through version 28.1.2.2 contains an authentication bypass vulnerability that allows unauthenticated remote attackers to abuse alternate authentication paths and gain unauthorized access to the application. With a CVSS score of 9.8 and no patch currently available, this critical vulnerability poses an immediate risk to all affected installations.

Authentication Bypass Contest Gallery
NVD VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-24964 MEDIUM This Month

A Server-Side Request Forgery (SSRF) vulnerability exists in Contest Gallery, a WordPress plugin developed by Wasiliy Strecker, affecting versions up to and including 28.1.2.1. This vulnerability allows attackers to abuse the affected application to make unauthorized requests to internal or external systems, potentially leading to information disclosure, internal network reconnaissance, or attacks against backend services. The vulnerability was reported by Patchstack and tracked under EUVD-2026-15576; however, no CVSS score, EPSS data, or confirmed active exploitation status is currently available, limiting the ability to assess immediate severity.

SSRF Contest Gallery
NVD VulDB
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-3862 MEDIUM PATCH This Month

Contest Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘id’ parameter in all versions up to, and including, 26.0.6 due to insufficient input sanitization and output. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

WordPress XSS Contest Gallery PHP
NVD
CVSS 3.1
6.4
EPSS
0.2%
CVE-2025-1513 HIGH PATCH This Week

The Photos, Files, YouTube, Twitter, Instagram, TikTok, Ecommerce Contest Gallery - Upload, Vote, Sell via PayPal or Stripe, Social Share Buttons plugin for WordPress is vulnerable to Stored. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

WordPress XSS Contest Gallery PHP
NVD
CVSS 3.1
7.2
EPSS
0.5%
CVE-2024-11103 CRITICAL PATCH Act Now

The Contest Gallery plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 24.0.7. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Privilege Escalation WordPress Contest Gallery
NVD
CVSS 3.1
9.8
EPSS
0.7%
CVE-2024-10687 CRITICAL PATCH Act Now

The Photos, Files, YouTube, Twitter, Instagram, TikTok, Ecommerce Contest Gallery - Upload, Vote, Sell via PayPal, Social Share Buttons plugin for WordPress is vulnerable to time-based SQL Injection. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

SQLi WordPress Contest Gallery
NVD
CVSS 3.1
9.8
EPSS
0.6%
CVE-2024-1487 MEDIUM This Month

The Photos and Files Contest Gallery WordPress plugin before 21.3.1 does not sanitize and escape some parameters, which could allow users with a role as low as author to perform Cross-Site Scripting. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress XSS Contest Gallery
NVD WPScan
CVSS 3.1
5.4
EPSS
0.4%
CVE-2024-24887 MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in Contest Gallery Photos and Files Contest Gallery - Contact Form, Upload Form, Social Share and Voting Plugin for WordPress.2.8.4. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress CSRF Contest Gallery
NVD
CVSS 3.1
5.4
EPSS
0.1%
CVE-2023-5307 MEDIUM POC This Month

The Photos and Files Contest Gallery WordPress plugin before 21.2.8.1 does not sanitise and escape some parameters, which could allow unauthenticated users to perform Cross-Site Scripting attacks via. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Contest Gallery
NVD WPScan
CVSS 3.1
6.1
EPSS
0.5%
CVE-2023-28784 MEDIUM This Month

Unauth. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Contest Gallery
NVD
CVSS 3.1
6.1
EPSS
0.4%
CVE-2022-4166 MEDIUM POC This Month

The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape the addCountS POST parameter before concatenating it to an SQL query in. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure PHP WordPress Contest Gallery
NVD WPScan
CVSS 3.1
6.5
EPSS
0.9%
CVE-2022-4165 MEDIUM POC This Month

The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape the cg_order POST parameter before concatenating it to an SQL query in. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure PHP WordPress Contest Gallery
NVD WPScan
CVSS 3.1
6.5
EPSS
0.9%
CVE-2022-4164 MEDIUM POC This Month

The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape the cg_multiple_files_for_post POST parameter before concatenating it to an. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure PHP WordPress Contest Gallery
NVD WPScan
CVSS 3.1
6.5
EPSS
0.9%
CVE-2022-4163 MEDIUM POC This Month

The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape the cg_deactivate and cg_activate POST parameters before concatenating it to. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure PHP WordPress Contest Gallery
NVD WPScan
CVSS 3.1
6.5
EPSS
0.9%
CVE-2022-4162 MEDIUM POC This Month

The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape the cg_row POST parameter before concatenating it to an SQL query in. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure PHP WordPress Contest Gallery
NVD WPScan
CVSS 3.1
6.5
EPSS
0.9%
CVE-2022-4161 MEDIUM POC This Month

The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape the cg_copy_start POST parameter before concatenating it to an SQL query in. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi WordPress Contest Gallery
NVD WPScan
CVSS 3.1
6.5
EPSS
0.9%
CVE-2022-4160 MEDIUM POC This Month

The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape the cg_copy_id POST parameter before concatenating it to an SQL query in. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure PHP WordPress Contest Gallery
NVD WPScan
CVSS 3.1
6.5
EPSS
0.9%
CVE-2022-4159 MEDIUM POC This Month

The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape the cg_id POST parameter before concatenating it to an SQL query in. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure PHP WordPress Contest Gallery
NVD WPScan
CVSS 3.1
6.5
EPSS
0.9%
CVE-2022-4158 HIGH POC This Week

The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape the cg_Fields POST parameter before concatenating it to an SQL query in. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure PHP WordPress Contest Gallery
NVD WPScan
CVSS 3.1
7.5
EPSS
0.9%
CVE-2022-4157 MEDIUM POC This Month

The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape the cg_option_id POST parameter before concatenating it to an SQL query in. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure PHP WordPress Contest Gallery
NVD WPScan
CVSS 3.1
4.9
EPSS
0.9%
CVE-2022-4156 HIGH POC This Week

The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape the user_id POST parameter before concatenating it to an SQL query in. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure PHP WordPress Contest Gallery
NVD WPScan
CVSS 3.1
7.5
EPSS
0.9%
CVE-2022-4155 MEDIUM POC This Month

The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape the wp_user_id GET parameter before concatenating it to an SQL query in. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure PHP WordPress Contest Gallery
NVD WPScan
CVSS 3.1
4.9
EPSS
0.8%
CVE-2022-4154 MEDIUM POC This Month

The Contest Gallery Pro WordPress plugin before 19.1.5 does not escape the wp_user_id GET parameter before concatenating it to an SQL query in management-show-user.php. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure PHP WordPress Contest Gallery
NVD WPScan
CVSS 3.1
4.9
EPSS
0.9%
CVE-2022-4153 MEDIUM POC This Month

The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape the upload[] POST parameter before concatenating it to an SQL query in. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure PHP WordPress Contest Gallery
NVD WPScan
CVSS 3.1
6.5
EPSS
0.9%
CVE-2022-4152 MEDIUM POC This Month

The Contest Gallery WordPress plugin before 19.1.5, Contest Gallery Pro WordPress plugin before 19.1.5 do not escape the option_id POST parameter before concatenating it to an SQL query in. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure PHP WordPress Contest Gallery
NVD WPScan
CVSS 3.1
6.5
EPSS
0.9%
CVE-2022-4151 MEDIUM POC This Month

The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape the option_id GET parameter before concatenating it to an SQL query in. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi WordPress Contest Gallery
NVD WPScan
CVSS 3.1
6.5
EPSS
0.9%
CVE-2022-4150 MEDIUM POC This Month

The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape the option_id POST parameter before concatenating it to an SQL query in. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure PHP WordPress Contest Gallery
NVD WPScan
CVSS 3.1
6.5
EPSS
0.9%
CVE-2022-45848 MEDIUM This Month

Unauth. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress XSS Contest Gallery
NVD
CVSS 3.1
6.1
EPSS
0.4%
CVE-2022-36394 HIGH This Week

Authenticated (author+) SQL Injection (SQLi) vulnerability in Contest Gallery plugin <= 17.0.4 at WordPress. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress SQLi Contest Gallery
NVD
CVSS 3.1
8.8
EPSS
0.7%
CVE-2022-27853 MEDIUM This Month

Authenticated (author or higher role) Stored Cross-Site Scripting (XSS) in Contest Gallery (WordPress plugin) <= 13.1.0.9. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS WordPress Contest Gallery
NVD
CVSS 3.1
4.8
EPSS
0.5%
CVE-2021-24915 CRITICAL POC THREAT Act Now

The Contest Gallery WordPress plugin before 13.1.0.6 does not have capability checks and does not sanitise or escape the cg-search-user-name-original parameter before using it in a SQL statement when. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress SQLi Contest Gallery
NVD GitHub WPScan
CVSS 3.1
9.8
EPSS
12.7%
CVE-2019-5974 HIGH This Week

Cross-site request forgery (CSRF) vulnerability in Contest Gallery versions prior to 10.4.5 allows remote attackers to hijack the authentication of administrators via unspecified vectors. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF Contest Gallery
NVD
CVSS 3.0
8.8
EPSS
1.0%
EPSS 0% CVSS 6.5
MEDIUM This Month

Sensitive data exposure in the Contest Gallery WordPress plugin (versions <= 28.1.7) allows authenticated subscribers to access confidential information they are not authorized to view. The vulnerability stems from insufficient access control over data retrieval endpoints within the plugin, permitting low-privileged WordPress users to read sensitive data with high confidentiality impact. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog, but the low complexity and remote exploitability make it a credible risk for WordPress sites with open subscriber registration.

Information Disclosure Contest Gallery
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

Unauthenticated integrity-impacting input validation failure in the Contest Gallery WordPress plugin affects all versions up to and including 28.1.7, allowing network-accessible attackers with no privileges to perform unauthorized write-class operations against the plugin. The CVSS vector confirms the unauthenticated, low-complexity attack path (AV:N/AC:L/PR:N/UI:N) with low integrity impact and unchanged scope. No public exploit code and no CISA KEV listing have been identified at time of analysis, placing this in a monitor-and-patch posture rather than emergency response.

Information Disclosure Contest Gallery
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Cross-site scripting in the Contest Gallery WordPress plugin (versions <= 28.1.6) can be triggered by a subscriber-level authenticated user, injecting malicious scripts that execute in the browsers of higher-privileged users such as administrators. The CVSS Scope:Changed metric confirms the payload escapes the subscriber's privilege boundary and impacts other user sessions. No public exploit code or CISA KEV listing has been identified at time of analysis, but the low attack complexity and broad WordPress ecosystem deployment surface make this a meaningful risk for any site accepting subscriber registrations.

XSS Contest Gallery
NVD
EPSS 0% CVSS 9.3
CRITICAL Act Now

Unauthenticated SQL injection in the Contest Gallery WordPress plugin (versions ≤28.1.6) allows remote attackers to inject arbitrary SQL into backend database queries without credentials or user interaction. The flaw was disclosed by Patchstack and tracked as EUVD-2026-36980; no public exploit identified at time of analysis, but the CVSS 9.3 score and PR:N attack vector make it a high-priority issue for any WordPress site running the plugin.

SQLi Contest Gallery
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

Contest Gallery through version 28.1.2.2 contains an authentication bypass vulnerability that allows unauthenticated remote attackers to abuse alternate authentication paths and gain unauthorized access to the application. With a CVSS score of 9.8 and no patch currently available, this critical vulnerability poses an immediate risk to all affected installations.

Authentication Bypass Contest Gallery
NVD VulDB
EPSS 0% CVSS 6.4
MEDIUM This Month

A Server-Side Request Forgery (SSRF) vulnerability exists in Contest Gallery, a WordPress plugin developed by Wasiliy Strecker, affecting versions up to and including 28.1.2.1. This vulnerability allows attackers to abuse the affected application to make unauthorized requests to internal or external systems, potentially leading to information disclosure, internal network reconnaissance, or attacks against backend services. The vulnerability was reported by Patchstack and tracked under EUVD-2026-15576; however, no CVSS score, EPSS data, or confirmed active exploitation status is currently available, limiting the ability to assess immediate severity.

SSRF Contest Gallery
NVD VulDB
EPSS 0% CVSS 6.4
MEDIUM PATCH This Month

Contest Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘id’ parameter in all versions up to, and including, 26.0.6 due to insufficient input sanitization and output. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

WordPress XSS Contest Gallery +1
NVD
EPSS 1% CVSS 7.2
HIGH PATCH This Week

The Photos, Files, YouTube, Twitter, Instagram, TikTok, Ecommerce Contest Gallery - Upload, Vote, Sell via PayPal or Stripe, Social Share Buttons plugin for WordPress is vulnerable to Stored. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

WordPress XSS Contest Gallery +1
NVD
EPSS 1% CVSS 9.8
CRITICAL PATCH Act Now

The Contest Gallery plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 24.0.7. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Privilege Escalation WordPress Contest Gallery
NVD
EPSS 1% CVSS 9.8
CRITICAL PATCH Act Now

The Photos, Files, YouTube, Twitter, Instagram, TikTok, Ecommerce Contest Gallery - Upload, Vote, Sell via PayPal, Social Share Buttons plugin for WordPress is vulnerable to time-based SQL Injection. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

SQLi WordPress Contest Gallery
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

The Photos and Files Contest Gallery WordPress plugin before 21.3.1 does not sanitize and escape some parameters, which could allow users with a role as low as author to perform Cross-Site Scripting. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress XSS Contest Gallery
NVD WPScan
EPSS 0% CVSS 5.4
MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in Contest Gallery Photos and Files Contest Gallery - Contact Form, Upload Form, Social Share and Voting Plugin for WordPress.2.8.4. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress CSRF Contest Gallery
NVD
EPSS 1% CVSS 6.1
MEDIUM POC This Month

The Photos and Files Contest Gallery WordPress plugin before 21.2.8.1 does not sanitise and escape some parameters, which could allow unauthenticated users to perform Cross-Site Scripting attacks via. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Contest Gallery
NVD WPScan
EPSS 0% CVSS 6.1
MEDIUM This Month

Unauth. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Contest Gallery
NVD
EPSS 1% CVSS 6.5
MEDIUM POC This Month

The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape the addCountS POST parameter before concatenating it to an SQL query in. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure PHP WordPress +1
NVD WPScan
EPSS 1% CVSS 6.5
MEDIUM POC This Month

The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape the cg_order POST parameter before concatenating it to an SQL query in. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure PHP WordPress +1
NVD WPScan
EPSS 1% CVSS 6.5
MEDIUM POC This Month

The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape the cg_multiple_files_for_post POST parameter before concatenating it to an. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure PHP WordPress +1
NVD WPScan
EPSS 1% CVSS 6.5
MEDIUM POC This Month

The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape the cg_deactivate and cg_activate POST parameters before concatenating it to. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure PHP WordPress +1
NVD WPScan
EPSS 1% CVSS 6.5
MEDIUM POC This Month

The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape the cg_row POST parameter before concatenating it to an SQL query in. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure PHP WordPress +1
NVD WPScan
EPSS 1% CVSS 6.5
MEDIUM POC This Month

The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape the cg_copy_start POST parameter before concatenating it to an SQL query in. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi WordPress +1
NVD WPScan
EPSS 1% CVSS 6.5
MEDIUM POC This Month

The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape the cg_copy_id POST parameter before concatenating it to an SQL query in. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure PHP WordPress +1
NVD WPScan
EPSS 1% CVSS 6.5
MEDIUM POC This Month

The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape the cg_id POST parameter before concatenating it to an SQL query in. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure PHP WordPress +1
NVD WPScan
EPSS 1% CVSS 7.5
HIGH POC This Week

The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape the cg_Fields POST parameter before concatenating it to an SQL query in. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure PHP WordPress +1
NVD WPScan
EPSS 1% CVSS 4.9
MEDIUM POC This Month

The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape the cg_option_id POST parameter before concatenating it to an SQL query in. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure PHP WordPress +1
NVD WPScan
EPSS 1% CVSS 7.5
HIGH POC This Week

The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape the user_id POST parameter before concatenating it to an SQL query in. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure PHP WordPress +1
NVD WPScan
EPSS 1% CVSS 4.9
MEDIUM POC This Month

The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape the wp_user_id GET parameter before concatenating it to an SQL query in. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure PHP WordPress +1
NVD WPScan
EPSS 1% CVSS 4.9
MEDIUM POC This Month

The Contest Gallery Pro WordPress plugin before 19.1.5 does not escape the wp_user_id GET parameter before concatenating it to an SQL query in management-show-user.php. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure PHP WordPress +1
NVD WPScan
EPSS 1% CVSS 6.5
MEDIUM POC This Month

The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape the upload[] POST parameter before concatenating it to an SQL query in. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure PHP WordPress +1
NVD WPScan
EPSS 1% CVSS 6.5
MEDIUM POC This Month

The Contest Gallery WordPress plugin before 19.1.5, Contest Gallery Pro WordPress plugin before 19.1.5 do not escape the option_id POST parameter before concatenating it to an SQL query in. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure PHP WordPress +1
NVD WPScan
EPSS 1% CVSS 6.5
MEDIUM POC This Month

The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape the option_id GET parameter before concatenating it to an SQL query in. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi WordPress +1
NVD WPScan
EPSS 1% CVSS 6.5
MEDIUM POC This Month

The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape the option_id POST parameter before concatenating it to an SQL query in. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure PHP WordPress +1
NVD WPScan
EPSS 0% CVSS 6.1
MEDIUM This Month

Unauth. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress XSS Contest Gallery
NVD
EPSS 1% CVSS 8.8
HIGH This Week

Authenticated (author+) SQL Injection (SQLi) vulnerability in Contest Gallery plugin <= 17.0.4 at WordPress. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress SQLi Contest Gallery
NVD
EPSS 1% CVSS 4.8
MEDIUM This Month

Authenticated (author or higher role) Stored Cross-Site Scripting (XSS) in Contest Gallery (WordPress plugin) <= 13.1.0.9. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS WordPress Contest Gallery
NVD
EPSS 13% CVSS 9.8
CRITICAL POC THREAT Act Now

The Contest Gallery WordPress plugin before 13.1.0.6 does not have capability checks and does not sanitise or escape the cg-search-user-name-original parameter before using it in a SQL statement when. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress SQLi Contest Gallery
NVD GitHub WPScan
EPSS 1% CVSS 8.8
HIGH This Week

Cross-site request forgery (CSRF) vulnerability in Contest Gallery versions prior to 10.4.5 allows remote attackers to hijack the authentication of administrators via unspecified vectors. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF Contest Gallery
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy