Contest-Gallery: >> Contest Gallery >> 11.1.3 Security Vulnerabilities
The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape the wp_user_id GET parameter before concatenating it to an SQL query in management-show-user.php. This may allow malicious users with administrator privileges (i.e. on multisite WordPress configurations) to leak sensitive information from the site's database.
CVSS Score
4.9
EPSS Score
0.003
Published
2022-12-26
The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape the user_id POST parameter before concatenating it to an SQL query in ajax-functions-backend.php. This may allow malicious users with at least author privilege to leak sensitive information from the site's database.
CVSS Score
7.5
EPSS Score
0.026
Published
2022-12-26
Unauth. Stored Cross-Site Scripting (XSS) vulnerability in Contest Gallery plugin <= 13.1.0.9 on WordPress.
CVSS Score
6.1
EPSS Score
0.002
Published
2022-12-06
Authenticated (author+) SQL Injection (SQLi) vulnerability in Contest Gallery plugin <= 17.0.4 at WordPress.
CVSS Score
7.6
EPSS Score
0.002
Published
2022-08-23
Authenticated (author or higher role) Stored Cross-Site Scripting (XSS) in Contest Gallery (WordPress plugin) <= 13.1.0.9
CVSS Score
4.8
EPSS Score
0.003
Published
2022-04-18
Page 4