CVE-2026-8912

Name of the Vulnerable Software and Affected Versions Contest Gallery versions prior to 28.1.7

Description The Contest Gallery plugin for WordPress contains a SQL Injection flaw. This occurs because the unauthenticated 'post cg gallery form upload' AJAX action fails to properly escape the form input parameter and lacks sufficient preparation of the SQL query within the 'cb' branch of the users-upload-check.php file, where the $f input id variable is concatenated unquoted into a SELECT statement. The endpoint is protected only by a public frontend nonce (cg1l action / cg nonce) visible in the page source of public gallery pages. This allows unauthenticated attackers to append malicious SQL queries to extract sensitive information from the database.

Recommendations Update to a version later than 28.1.6. As a temporary workaround, restrict access to the 'post cg gallery form upload' AJAX action or avoid using the form input parameter until the update is applied.