CVE-2026-3180

Name of the Vulnerable Software and Affected Versions The Contest Gallery – Upload & Vote Photos, Media, Sell with PayPal & Stripe plugin for WordPress versions through 28.1.4

Description The software is susceptible to a blind SQL Injection issue due to inadequate escaping of user-supplied parameters and insufficient preparation of existing SQL queries. This allows unauthenticated attackers to inject additional SQL queries into existing ones, potentially extracting sensitive information from the database. The issue affects the cgLostPasswordEmail and cgl mail parameters. The cgLostPasswordEmail parameter was addressed in version 28.1.4, and the cgl mail parameter was addressed in version 28.1.5.

Recommendations Versions prior to 28.1.5 should be updated. As a temporary workaround, restrict access to the parameters cgLostPasswordEmail and cgl mail.