[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f54T36NEWCbJxt3RqA0uHnAUeyUQAnGKQs-s3tJfGQPg":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":35,"research_fix_diff":36,"research_exploit_outline":37,"research_model_used":38,"research_started_at":39,"research_completed_at":40,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":41},"CVE-2026-40771","contest-gallery-upload-vote-photos-media-sell-with-paypal-stripe-unauthenticated-sql-injection","Contest Gallery – Upload & Vote Photos, Media, Sell with PayPal & Stripe \u003C= 28.1.6 - Unauthenticated SQL Injection","The Contest Gallery – Upload & Vote Photos, Media, Sell with PayPal & Stripe plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 28.1.6 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.","contest-gallery",null,"\u003C=28.1.6","28.1.7","high",7.5,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:H\u002FI:N\u002FA:N","Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","2026-04-21 00:00:00","2026-04-30 14:56:53",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F768d0d53-8724-4598-ae73-305225b52633?source=api-prod",10,[22,23,24,25,26,27,28,29],"changelog.txt","functions\u002Fgeneral\u002Fcg-general-functions.php","functions\u002Fgeneral\u002Fcg-get-version.php","index.php","readme.txt","v10\u002Fv10-frontend\u002Fdata\u002Frating\u002Frate-picture-five-star.php","v10\u002Fv10-frontend\u002Fdata\u002Frating\u002Frate-picture-one-star.php","v10\u002Fv10-frontend\u002Fload-data-ajax.php","researched",false,3,"frontend.php` via a query.\n\n * Okay, let's assume the vulnerability is in an AJAX action named `cg_load_entries`.\n The parameter is `orderBy`.\n Payload: `action=cg_load_entries&orderBy=ID AND (SELECT 1 FROM (SELECT SLEEP(5))x)`\n\n * Wait, I found a more likely candidate.\n The plugin has a `cg_get_images_data` AJAX action.\n In `28.1.6`, it might be using `$_POST['picture_id']` or similar.\n\n * Wait! I found it. The vulnerability is in the handling of the `galleryIDuser` or `realGid` in some specific context where it is NOT `absint`ed.\n Wait, look at `v10\u002Fv10-frontend\u002Fload-data-ajax.php` again.\n Line 118:\n ```php\n $fromCommentsWpUserIdsQueryResults = $wpdb->get_results( \"SELECT DISTINCT WpUserId FROM $tablenameComments WHERE WpUserId > 0 AND GalleryID = $galeryID\");\n ```\n Wait... what if `$galeryID` is NOT the only thing in that query?\n No, that query looks very specific.\n\n * Let's look for `wp_ajax_nopriv` in `ajax-functions-frontend.php`.\n One very common action is `","The Contest Gallery plugin for WordPress is vulnerable to unauthenticated SQL Injection via the 'contest-gal1ery-[ID]-voting' cookie in the rating scripts (e.g., rate-picture-five-star.php). The plugin directly concatenates the cookie's value into SQL queries without sanitization or preparation, allowing attackers to extract sensitive data or perform unauthorized database operations.","\u002F\u002F v10\u002Fv10-frontend\u002Fdata\u002Frating\u002Frate-picture-five-star.php line 493\n $CookieId = '';\n if(isset($_COOKIE['contest-gal1ery-'.$galeryID.'-voting']) && $options['general']['CheckCookie'] == 1) {\n $CookieId = $_COOKIE['contest-gal1ery-'.$galeryID.'-voting'];\n }\n\n---\n\n\u002F\u002F v10\u002Fv10-frontend\u002Fdata\u002Frating\u002Frate-picture-five-star.php line 718\n }elseif ($CheckCookie == 1 && $CheckIp != 1){\n if(isset($_COOKIE['contest-gal1ery-'.$galeryID.'-voting'])) {\n $lastVotedIpRow = $wpdb->get_row( \"SELECT id, Rating FROM $tablenameIP WHERE Rating >= '1' && CookieId = '$CookieId' && GalleryID = '$galeryID' && pid = '$pictureID' ORDER BY id DESC LIMIT 1\" );\n $countUserVotesForImage = $wpdb->get_var( \"SELECT COUNT(*) AS NumberOfRows FROM $tablenameIP WHERE Rating >= '1' && CookieId = '$CookieId' && GalleryID = '$galeryID' && pid = '$pictureID'\" );\n }\n }","diff -ru \u002Fv10\u002Fv10-frontend\u002Fdata\u002Frating\u002Frate-picture-five-star.php \u002Fv10\u002Fv10-frontend\u002Fdata\u002Frating\u002Frate-picture-five-star.php\n--- \u002Fv10\u002Fv10-frontend\u002Fdata\u002Frating\u002Frate-picture-five-star.php\n+++ \u002Fv10\u002Fv10-frontend\u002Fdata\u002Frating\u002Frate-picture-five-star.php\n@@ -455,10 +455,10 @@\n }\n \n }\n- $CookieId = '';\n if($CheckCookie==1) {\n- if(!isset($_COOKIE['contest-gal1ery-'.$galeryID.'-voting'])) {\n+ $CookieId = cg_get_valid_frontend_cookie($galeryID,'voting');\n+ if(empty($CookieId)) {\n $cookieValue = cg_set_cookie($galeryID,'voting');\n ?>\n \u003Cscript data-cg-processing=\"true\">\n@@ -715,17 +711,49 @@\n $countUserVotesForImage = $wpdb->get_var( \"SELECT COUNT(*) AS NumberOfRows FROM $tablenameIP WHERE Rating >= '1' && WpUserId = '$wpUserId' && GalleryID = '$galeryID' && pid = '$pictureID'\" );\n }\n }elseif ($CheckCookie == 1 && $CheckIp != 1){\n- if(isset($_COOKIE['contest-gal1ery-'.$galeryID.'-voting'])) {\n- $lastVotedIpRow = $wpdb->get_row( \"SELECT id, Rating FROM $tablenameIP WHERE Rating >= '1' && CookieId = '$CookieId' && GalleryID = '$galeryID' && pid = '$pictureID' ORDER BY id DESC LIMIT 1\" );\n- $countUserVotesForImage = $wpdb->get_var( \"SELECT COUNT(*) AS NumberOfRows FROM $tablenameIP WHERE Rating >= '1' && CookieId = '$CookieId' && GalleryID = '$galeryID' && pid = '$pictureID'\" );\n+ if(!empty($CookieId)) {\n+ $lastVotedIpRow = $wpdb->get_row($wpdb->prepare(\n+ \"SELECT id, Rating FROM $tablenameIP WHERE Rating >= %d AND CookieId = %s AND GalleryID = %d AND pid = %d ORDER BY id DESC LIMIT 1\",\n+ 1,\n+ $CookieId,\n+ $galeryID,\n+ $pictureID\n+ ));\n+ $countUserVotesForImage = $wpdb->get_var($wpdb->prepare(\n+ \"SELECT COUNT(*) AS NumberOfRows FROM $tablenameIP WHERE Rating >= %d AND CookieId = %s AND GalleryID = %d AND pid = %d\",\n+ 1,\n+ $CookieId,\n+ $galeryID,\n+ $pictureID\n+ ));\n }","To exploit this vulnerability, an attacker must identify a gallery where 'Cookie recognition' is enabled for voting. The attacker then makes a request to the voting endpoint (typically an AJAX request to rate-picture-five-star.php or rate-picture-one-star.php) while providing a malicious SQL payload inside a cookie named 'contest-gal1ery-[ID]-voting', where [ID] is the target gallery ID. Because the plugin uses the cookie value directly in a database query without using $wpdb->prepare() or sanitization, the payload is executed by the database. No authentication is required for this attack if the gallery allows unauthenticated voting.","gemini-3-flash-preview","2026-05-04 19:05:19","2026-05-04 19:06:05",{"type":42,"vulnerable_version":43,"fixed_version":11,"vulnerable_browse":44,"vulnerable_zip":45,"fixed_browse":46,"fixed_zip":47,"all_tags":48},"plugin","28.1.6","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fcontest-gallery\u002Ftags\u002F28.1.6","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fcontest-gallery.28.1.6.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fcontest-gallery\u002Ftags\u002F28.1.7","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fcontest-gallery.28.1.7.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fcontest-gallery\u002Ftags"]