Contest Gallery WordPress Plugin SQL Injection Vulnerability

A SQL injection vulnerability has been identified in the Contest Gallery plugin for WordPress, affecting versions through 28.1.6. The issue arises from inadequate escaping of user-supplied data in the 'form_input' parameter, allowing unauthenticated attackers to manipulate SQL queries and potentially access sensitive database information. This vulnerability is exploited through the 'post_cg_gallery_form_upload' AJAX action, where the 'form_input' data is concatenated into an SQL query without proper sanitization. The vulnerability is accessible via a public nonce that can be found in the source code of any public gallery page.

Impact

Exploitation of this vulnerability allows for SQL injection, where an attacker can interfere with the database queries made by the application. This could lead to unauthorized data access, data manipulation, or in some cases, executing administrative operations on the database.

Reproduction

To reproduce this vulnerability, send a request to the 'post_cg_gallery_form_upload' AJAX action with a crafted 'form_input' parameter. The 'form_input' data should include SQL injection payloads that exploit the vulnerable SQL query handling. Ensure that the request includes the public nonce 'cg_nonce' to bypass the nonce validation.

Remediation

Users are advised to update the Contest Gallery plugin to version 28.1.7 or later, where this vulnerability has been patched.