CVE-2022-4163

Name of the Vulnerable Software and Affected Versions Contest Gallery WordPress plugin versions prior to 19.1.5.1 Contest Gallery Pro WordPress plugin versions prior to 19.1.5.1

Description The issue allows malicious users with at least author privilege to leak sensitive information from the site's database. This is due to the failure to escape the cg deactivate and cg activate POST parameters before concatenating them to an SQL query in 2 deactivate.php and 4 activate.php, respectively.

Recommendations For Contest Gallery WordPress plugin versions prior to 19.1.5.1, update to version 19.1.5.1 or later. For Contest Gallery Pro WordPress plugin versions prior to 19.1.5.1, update to version 19.1.5.1 or later. As a temporary workaround, consider restricting access to the 2 deactivate.php and 4 activate.php files to minimize the risk of exploitation. Avoid using the cg deactivate and cg activate parameters in the affected POST requests until the issue is resolved.