CVE-2026-12165

The Contest Gallery – Upload & Vote Photos, Media, Sell with PayPal & Stripe plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 30.0.2 via the RegistryUserRole parameter. This is due to the plugin's admin menu being registered at the edit posts capability level — granting Contributor-level users access to the plugin's admin pages and a valid cg admin nonce — while the option-saving handler in change-options-and-sizes.php performs no current user can() capability check beyond check admin referer('cg admin'), and the RegistryUserRole value is processed only through sanitize text field() and htmlentities() without restriction to an allowlist of permitted role names. This makes it possible for authenticated attackers, with author-level access and above, to overwrite the plugin's stored RegistryUserRole option with administrator, which the cg create wp user from google user function then reads back from the contest gal1ery registry and login options database table without any allowlist validation and passes directly to wp update user(), effectively promoting a newly registered Google sign-in account to Administrator.