Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2026-03-24
CVE-2026-4021 - Contest Gallery Plugin
The Contest Gallery plugin for WordPress is vulnerable to an authentication bypass leading to admin account takeover in all versions up to, and including, 28.1.5. This is due to the email confirmation handler in `users-registry-check-after-email-or-pin-confirmation.php` using the user's email string in a `WHERE ID = %s` clause instead of the numeric user ID, combined with an unauthenticated key-based login endpoint in `ajax-functions-frontend.php`. When the non-default `RegMailOptional=1` setting is enabled, an attacker can register with a crafted email starting with the target user ID (e.g., `1poc@example.test`), trigger the confirmation flow to…
PLUGIN
Contest Gallery
CVE-2026-4021
Risk Score
Threat Entry
Updated 2026-03-02
CVE-2026-3180 - Contest Gallery Plugin
The Contest Gallery – Upload & Vote Photos, Media, Sell with PayPal & Stripe plugin for WordPress is vulnerable to blind SQL Injection via the ‘cgLostPasswordEmail’ and the ’cgl_mail’ parameter in all versions up to, and including, 28.1.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. The vulnerability's ’cgLostPasswordEmail’ parameter was patched…
PLUGIN
Contest Gallery
CVE-2026-3180
Risk Score
Threat Entry
Updated 2025-11-18
CVE-2025-12849 - Contest Gallery Plugin
The Contest Gallery plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 28.0.2. This is due to the plugin registering the `cg_check_wp_admin_upload_v10` AJAX action for both authenticated and unauthenticated users without implementing capability checks or nonce verification. This makes it possible for unauthenticated attackers to inject arbitrary WordPress media attachments into galleries and manipulate gallery metadata via the `cg_check_wp_admin_upload_v10` action. It does not enable an attacker to move or upload files.
PLUGIN
Contest Gallery
CVE-2025-12849
Risk Score
Threat Entry
Updated 2025-10-06
CVE-2025-10383 - Contest Gallery Plugin
The Contest Gallery – Upload, Vote & Sell with PayPal and Stripe plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple form field parameters in all versions up to, and including, 27.0.2. This is due to insufficient input sanitization and output escaping on user-supplied attributes. This makes it possible for authenticated attackers, with author-level access or higher, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Contest Gallery
CVE-2025-10383
Risk Score
Threat Entry
Updated 2025-06-04
CVE-2025-3862 - Contest Gallery Plugin
Contest Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘id’ parameter in all versions up to, and including, 26.0.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Contest Gallery
CVE-2025-3862
Risk Score
Threat Entry
Updated 2025-03-06
CVE-2025-1513 - Contest Gallery Plugin
The Photos, Files, YouTube, Twitter, Instagram, TikTok, Ecommerce Contest Gallery – Upload, Vote, Sell via PayPal or Stripe, Social Share Buttons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Name and Comment field when commenting on photo gallery entries in all versions up to, and including, 26.0.0.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Contest Gallery
CVE-2025-1513
Risk Score
Threat Entry
Updated 2025-04-11
CVE-2024-11103 - Contest Gallery Plugin
The Contest Gallery plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 24.0.7. This is due to the plugin not properly validating a user's identity prior to updating their password. This makes it possible for unauthenticated attackers to change arbitrary user's passwords, including administrators, and leverage that to gain access to their account.
PLUGIN
Contest Gallery
CVE-2024-11103
Risk Score
Threat Entry
Updated 2024-11-08
CVE-2024-10687 - Contest Gallery Plugin
The Photos, Files, YouTube, Twitter, Instagram, TikTok, Ecommerce Contest Gallery – Upload, Vote, Sell via PayPal, Social Share Buttons plugin for WordPress is vulnerable to time-based SQL Injection via the $collectedIds parameter in all versions up to, and including, 24.0.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
Contest Gallery
CVE-2024-10687
Risk Score
Threat Entry
Updated 2025-04-01
CVE-2024-1487 - Contest Gallery Plugin
The Photos and Files Contest Gallery WordPress plugin before 21.3.1 does not sanitize and escape some parameters, which could allow users with a role as low as author to perform Cross-Site Scripting attacks.
PLUGIN
Contest Gallery
CVE-2024-1487
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-24887 - Contest Gallery Plugin
Cross-Site Request Forgery (CSRF) vulnerability in Contest Gallery Photos and Files Contest Gallery – Contact Form, Upload Form, Social Share and Voting Plugin for WordPress.This issue affects Photos and Files Contest Gallery – Contact Form, Upload Form, Social Share and Voting Plugin for WordPress: from n/a through 21.2.8.4.
PLUGIN
Contest Gallery
CVE-2024-24887
Risk Score
Threat Entry
Updated 2025-04-22
CVE-2023-5307 - Contest Gallery Plugin
The Photos and Files Contest Gallery WordPress plugin before 21.2.8.1 does not sanitise and escape some parameters, which could allow unauthenticated users to perform Cross-Site Scripting attacks via certain headers.
PLUGIN
Contest Gallery
CVE-2023-5307
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-36394 - Contest Gallery Plugin
Authenticated (author+) SQL Injection (SQLi) vulnerability in Contest Gallery plugin
PLUGIN
Contest Gallery
CVE-2022-36394
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24915 - Contest Gallery Plugin
The Contest Gallery WordPress plugin before 13.1.0.6 does not have capability checks and does not sanitise or escape the cg-search-user-name-original parameter before using it in a SQL statement when exporting users from a gallery, which could allow unauthenticated to perform SQL injections attacks, as well as get the list of all users registered on the blog, including their username and email address
PLUGIN
Contest Gallery
CVE-2021-24915
Risk Score