[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$ft4fdB5h2P6qb-efatqKo0GtuS_sEBH7JB3vLxX8HIqU":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":26,"research_verified":27,"research_rounds_completed":28,"research_plan":29,"research_summary":30,"research_vulnerable_code":31,"research_fix_diff":32,"research_exploit_outline":33,"research_model_used":34,"research_started_at":35,"research_completed_at":36,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":27,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":27,"source_links":37},"CVE-2026-42657","contest-gallery-upload-vote-photos-media-sell-with-paypal-stripe-missing-authorization-2","Contest Gallery – Upload & Vote Photos, Media, Sell with PayPal & Stripe \u003C= 28.1.7 - Missing Authorization","The Contest Gallery – Upload & Vote Photos, Media, Sell with PayPal & Stripe plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 28.1.7. This makes it possible for unauthenticated attackers to perform an unauthorized action.","contest-gallery",null,"\u003C=28.1.7","29.0.0","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-04-29 00:00:00","2026-05-04 14:05:28",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F7c2482cc-1717-4fae-b45b-3a1a1ce95fdc?source=api-prod",6,[22,23,24,25],"ajax\u002Fajax-functions-backend.php","ajax\u002Fajax-functions-frontend.php","changelog.txt","check-language-ecommerce.php","researched",false,3,"# Exploitation Research Plan - CVE-2026-42657\n\n## Vulnerability Summary\nThe **Contest Gallery** plugin for WordPress is vulnerable to **Missing Authorization** in its AJAX handlers. Specifically, the function `post_cg_set_frontend_cookie` in `ajax\u002Fajax-functions-frontend.php` is registered for unauthenticated users via `wp_ajax_nopriv_post_cg_set_frontend_cookie` but lacks any nonce verification or capability checks. This allows an unauthenticated attacker to set sensitive session cookies (`cg_order`, `contest-gal1ery-{ID}-voting`, `contest-gal1ery-{ID}-upload`) that are used by the plugin to authorize access to orders, voting capabilities, and upload permissions.\n\n## Attack Vector Analysis\n- **Endpoint**: `\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Action**: `post_cg_set_frontend_cookie`\n- **Authentication**: Unauthenticated (via `wp_ajax_nopriv_`)\n- **Parameters**: \n    - `gid`: The Gallery ID (numeric).\n    - `cgIsUpload`: (Optional) If set, triggers the creation of the upload authorization cookie.\n    - `cgOrderIdHash`: (Optional) If set, triggers the creation of the `cg_order` cookie (used for order access).\n- **Preconditions**: The attacker needs to know a valid Gallery ID (easily found by viewing the site) or an Order ID hash.\n\n## Code Flow\n1","The Contest Gallery plugin for WordPress fails to implement authorization checks or nonce verification on the `post_cg_set_frontend_cookie` AJAX function. This allows unauthenticated attackers to programmatically set session cookies that grant unauthorized access to restricted features such as photo uploading, voting, and private order details.","\u002F\u002F ajax\u002Fajax-functions-frontend.php line 105\nadd_action('wp_ajax_nopriv_post_cg_set_frontend_cookie', 'post_cg_set_frontend_cookie');\nadd_action('wp_ajax_post_cg_set_frontend_cookie', 'post_cg_set_frontend_cookie');\nif (!function_exists('post_cg_set_frontend_cookie')) {\n\n    function post_cg_set_frontend_cookie()\n    {\n\n        global $wpdb;\n\n        if (defined('DOING_AJAX') && DOING_AJAX) {\n\n\t\t\tif(!empty($_REQUEST['gid'])){\n            $galeryID = intval(sanitize_text_field($_REQUEST['gid']));\u002F\u002F is gidReal\n\t\t\t}\n\n\t        if(!empty($_POST['cgIsUpload'])){\n\t\t        if(!isset($_COOKIE['contest-gal1ery-'.$galeryID.'-upload'])) {\n\t\t\t        cg_set_cookie($galeryID,'upload');\n\t\t\t        \u002F\u002F thats it cookie is set... after that cookie is available in browser\n\t\t        }\n\t        }elseif(!empty($_POST['cgOrderIdHash'])){\n\t\t        setcookie('cg_order',  cg_hash_function('---cg_order---'.sanitize_text_field($_POST['cgOrderIdHash'])), time() + ( 7 * 24 * 60 * 60), \"\u002F\");\n\t        }else{\n            if(!isset($_COOKIE['contest-gal1ery-'.$galeryID.'-voting'])) {\n                cg_set_cookie($galeryID,'voting');\n                \u002F\u002F thats it cookie is set... after that cookie is available in browser\n            }\n\t        }\n\n            exit();\n        } else {\n            exit();\n        }\n    }\n}","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fcontest-gallery\u002F28.1.7\u002Fajax\u002Fajax-functions-backend.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fcontest-gallery\u002F29.0.0\u002Fajax\u002Fajax-functions-backend.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fcontest-gallery\u002F28.1.7\u002Fajax\u002Fajax-functions-backend.php\t2026-04-06 19:43:48.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fcontest-gallery\u002F29.0.0\u002Fajax\u002Fajax-functions-backend.php\t2026-04-19 21:25:02.000000000 +0000\n@@ -1,10 +1,60 @@\n \u003C?php\n+if (!function_exists('cg_backend_ajax_error_json')) {\n+    function cg_backend_ajax_error_json($message, $status = 400, $code = 'cg_backend_ajax_error') {\n+        wp_send_json_error(array(\n+            'message' => $message,\n+            'code' => $code\n+        ), $status);\n+    }\n+}\n+\n+if (!function_exists('cg_backend_ajax_require_access_json')) {\n+    function cg_backend_ajax_require_access_json() {\n+        if (!defined('DOING_AJAX') || !DOING_AJAX) {\n+            cg_backend_ajax_error_json('Invalid AJAX request.', 400, 'cg_invalid_ajax_request');\n+        }\n+\n+        if (!is_user_logged_in() || !cg_user_has_backend_access()) {\n+            cg_backend_ajax_error_json('This area can be edited only as administrator, editor or author.', 403, 'cg_missing_rights');\n+        }\n+\n+        $cg_nonce = '';\n+        if (isset($_POST['cg_nonce'])) {\n+            $cg_nonce = sanitize_text_field($_POST['cg_nonce']);\n+        } elseif (isset($_GET['cg_nonce'])) {\n+            $cg_nonce = sanitize_text_field($_GET['cg_nonce']);\n+        }\n+\n+        if (empty($cg_nonce) || !wp_verify_nonce($cg_nonce, 'cg_nonce')) {\n+            wp_send_json_error(array(\n+                'message' => 'WP nonce security token not set or not valid anymore.',\n+                'code' => 'cg_nonce_invalid',\n+                'version' => cg_get_version()\n+            ), 403);\n+        }\n+    }\n+}\n+\n+if (!function_exists('cg_backend_ajax_validate_gallery_hash_json')) {\n+    function cg_backend_ajax_validate_gallery_hash_json($GalleryID, $galleryHash) {\n+        $GalleryID = absint($GalleryID);\n+        if (empty($GalleryID) || empty($galleryHash)) {\n+            cg_backend_ajax_error_json('Missing gallery validation data.', 403, 'cg_missing_gallery_hash');\n+        }\n+\n+        $galleryHashToCompare = md5(wp_salt('auth') . '---cngl1---' . $GalleryID);\n+        if ($galleryHash !== $galleryHashToCompare) {\n+            cg_backend_ajax_error_json('Invalid gallery validation data.', 403, 'cg_invalid_gallery_hash');\n+        }\n+    }\n+}\n+\n \u002F\u002F post_cg_get_current_permalinks\n add_action('wp_ajax_post_cg_get_current_permalinks', 'post_cg_get_current_permalinks');\n if (!function_exists('post_cg_get_current_permalinks')) {\n     function post_cg_get_current_permalinks() {\n \n-        cg_check_nonce();\n+        cg_require_backend_access();\n \n         global $wpdb;\n         $tablename = $wpdb->prefix . \"contest_gal1ery\";","The exploit targets the `\u002Fwp-admin\u002Fadmin-ajax.php` endpoint using the `post_cg_set_frontend_cookie` action. An unauthenticated attacker sends a POST request with the `gid` parameter set to a target Gallery ID. To gain upload permissions, they include the `cgIsUpload` parameter. To gain access to a specific order, they include the `cgOrderIdHash` parameter. The server responds by setting the corresponding session cookies (`contest-gal1ery-{ID}-upload` or `cg_order`) in the attacker's browser without verifying if the attacker is authorized to perform these actions or providing a valid nonce.","gemini-3-flash-preview","2026-05-04 17:56:57","2026-05-04 17:58:26",{"type":38,"vulnerable_version":39,"fixed_version":11,"vulnerable_browse":40,"vulnerable_zip":41,"fixed_browse":42,"fixed_zip":43,"all_tags":44},"plugin","28.1.7","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fcontest-gallery\u002Ftags\u002F28.1.7","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fcontest-gallery.28.1.7.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fcontest-gallery\u002Ftags\u002F29.0.0","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fcontest-gallery.29.0.0.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fcontest-gallery\u002Ftags"]