Contest Gallery WordPress Plugin Authorization Bypass Vulnerability

An authorization bypass vulnerability has been identified in the Contest Gallery plugin for WordPress, affecting all versions through 28.0.2. The vulnerability arises because the plugin allows both authenticated and unauthenticated users to access the 'cg_check_wp_admin_upload_v10' AJAX action without proper capability checks or nonce verification. This oversight enables unauthenticated attackers to inject arbitrary media attachments into galleries and alter gallery metadata, although it does not permit moving or uploading files.

Impact

Exploitation of this vulnerability allows for unauthorized injection of media attachments into WordPress galleries, with the potential to manipulate associated gallery metadata. However, it does not allow for unauthorized file uploads or movements.

Reproduction

To reproduce this vulnerability, send an AJAX request to the 'wp_ajax_nopriv_cg_check_wp_admin_upload_v10' action. This can be done without authentication, bypassing any user capability requirements. Include the 'cgVersionScripts' POST parameter to trigger the vulnerability. The absence of nonce verification allows this action to be exploited easily by unauthenticated users.

Remediation

Users are advised to update the Contest Gallery plugin to version 28.0.3 or later, where this vulnerability has been patched.