CVE-2024-10687

Name of the Vulnerable Software and Affected Versions Contest-Gallery plugin for WordPress versions prior to 24.0.1 Contest-Gallery plugin for WordPress version 24.0.1 is not affected according to some sources, but others indicate versions up to and including 24.0.3 are vulnerable. Therefore, considering all information, the most accurate representation is: Contest-Gallery plugin for WordPress versions up to and including 24.0.3

Description The Contest-Gallery plugin for WordPress is susceptible to time-based SQL Injection due to insufficient escaping on the user-supplied collectedIds parameter and lack of sufficient preparation on the existing SQL query. This allows unauthenticated attackers to append additional SQL queries into already existing queries, potentially extracting sensitive information from the database. Exploitation could lead to unauthorized data access.

Recommendations Update to the latest version of the Contest-Gallery plugin for WordPress immediately to secure your site. As a temporary workaround, consider restricting access to the plugin or disabling the collectedIds parameter until a patch is applied, but the most effective solution is updating to a version beyond 24.0.3.