Executive Summary

The Contest Gallery plugin for WordPress has a vulnerability that allows an attacker to bypass authentication and take over administrator accounts. This happens because the plugin's email confirmation handler incorrectly uses the user's email string in a database query where a numeric user ID is expected. When a specific setting (`RegMailOptional=1`) is enabled, an attacker can register with a specially crafted email that starts with the target user's ID, causing the plugin to overwrite the admin's activation key due to MySQL integer coercion.

After this, the attacker can use an unauthenticated AJAX login endpoint to authenticate as the admin without any credentials, effectively gaining full control over the WordPress site.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have severe impacts as it allows unauthenticated attackers to take over any WordPress administrator account on a site using the vulnerable Contest Gallery plugin versions up to 28.1.5.

• Full site control by the attacker, including the ability to modify content, install malicious plugins or themes, and access sensitive data.
• Potential loss of data integrity and confidentiality.
• Compromise of the entire WordPress installation and any connected systems.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability involves an authentication bypass in the Contest Gallery WordPress plugin via crafted email registration and misuse of the activation key login AJAX endpoint.'}, {'type': 'paragraph', 'content': 'Detection can focus on monitoring for suspicious AJAX requests to the `post_cg1l_login_user_by_key` action, which allows login via activation key without credentials.'}, {'type': 'paragraph', 'content': 'You can inspect web server logs or use network monitoring tools to look for POST requests to URLs containing `ajax-functions-frontend.php` with the parameter `action=post_cg1l_login_user_by_key`.'}, {'type': 'list_item', 'content': "Use command-line tools like `grep` on your web server access logs to find such requests, for example: `grep 'post_cg1l_login_user_by_key' /var/log/apache2/access.log`"}, {'type': 'list_item', 'content': 'Look for suspicious registration emails with crafted email addresses starting with numeric user IDs (e.g., `[email protected]`) in your mail logs.'}, {'type': 'list_item', 'content': 'Check for unexpected changes or overwrites of the `user_activation_key` field in the WordPress users database table, which may indicate exploitation attempts.'}, {'type': 'paragraph', 'content': 'No specific detection commands are provided in the available resources, but monitoring AJAX login attempts and unusual user activation key changes are recommended.'}] [2, 3]

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation is to update the Contest Gallery plugin to version 28.1.6 or later, where the vulnerability has been fixed.

The fix involves correcting the misuse of the email string in the SQL query and securing the activation key login endpoint to prevent unauthenticated access.

Until the update can be applied, consider disabling or restricting access to the vulnerable AJAX endpoint `post_cg1l_login_user_by_key` in `ajax-functions-frontend.php` to prevent exploitation.

Additionally, review and tighten user registration settings, especially the `RegMailOptional=1` setting, which enables the attack vector.

Monitor and audit user accounts for unauthorized changes, particularly admin accounts, and reset passwords or activation keys if suspicious activity is detected.

Useful 0 Not Useful 0