CVE-2026-8912
Deferred Deferred - Pending Action
SQL Injection in Contest Gallery WordPress Plugin

Publication date: 2026-05-19

Last updated on: 2026-05-19

Assigner: Wordfence

Description
The Contest Gallery plugin for WordPress is vulnerable to SQL Injection via the 'form_input' parameter in versions up to, and including, 28.1.6. This is due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query inside the unauthenticated 'post_cg_gallery_form_upload' AJAX action (specifically the 'cb' branch of the included users-upload-check.php, where $f_input_id is concatenated unquoted into 'SELECT Field_Content FROM ... WHERE id = $f_input_id'). The endpoint is gated only by a public frontend nonce ('cg1l_action' / 'cg_nonce') that is exposed in the page source of any public gallery page. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-19
Last Modified
2026-05-19
Generated
2026-06-10
AI Q&A
2026-05-19
EPSS Evaluated
2026-06-08
NVD
CVE-2026-8912
EUVD
EUVD-2026-30893
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
contest_gallery plugin to 28.1.6 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The Contest Gallery plugin for WordPress has a SQL Injection vulnerability in the 'form_input' parameter in versions up to and including 28.1.6. This happens because user input is not properly escaped or prepared before being included in an SQL query within the unauthenticated 'post_cg_gallery_form_upload' AJAX action. Specifically, the parameter is concatenated directly into a SQL SELECT statement without quotes or sanitization, allowing attackers to inject additional SQL commands.

The vulnerable endpoint is only protected by a public frontend nonce that is visible in the page source of any public gallery page, meaning anyone can access it without authentication. This allows unauthenticated attackers to manipulate the SQL query to extract sensitive information from the database.

Impact Analysis

This vulnerability can allow an unauthenticated attacker to extract sensitive information from your WordPress site's database by injecting malicious SQL queries. Because the attacker can manipulate the SQL query, they may gain access to confidential data stored in the database, potentially leading to data breaches.

The CVSS score of 7.5 indicates a high severity impact with no user interaction or privileges required, meaning the attack can be performed remotely and easily.

Detection Guidance

This vulnerability involves SQL Injection via the 'form_input' parameter in the unauthenticated 'post_cg_gallery_form_upload' AJAX action of the Contest Gallery plugin for WordPress. Detection can focus on monitoring HTTP requests to this AJAX endpoint for suspicious or malformed 'form_input' parameter values that may contain SQL injection payloads.

Network or system detection commands could include inspecting web server logs or using tools like curl or wget to test the endpoint with crafted inputs. For example, a command to test the vulnerability might be:

  • curl -X POST -d "action=post_cg_gallery_form_upload&form_input=1 OR 1=1--&cg1l_action=nonce_value&cg_nonce=nonce_value" https://yourwordpresssite.com/wp-admin/admin-ajax.php

Additionally, monitoring logs for unusual SQL errors or unexpected data access patterns related to this AJAX action can help detect exploitation attempts.

Mitigation Strategies

Immediate mitigation steps include updating the Contest Gallery plugin to a version later than 28.1.6 where this SQL Injection vulnerability is fixed.

If an update is not immediately possible, consider disabling or restricting access to the 'post_cg_gallery_form_upload' AJAX action to prevent unauthenticated requests.

Additionally, implement web application firewall (WAF) rules to block suspicious SQL injection patterns targeting the 'form_input' parameter.

Compliance Impact

The vulnerability allows unauthenticated attackers to perform SQL Injection attacks that can extract sensitive information from the database.

Such unauthorized access to sensitive data could lead to violations of data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access.

Therefore, exploitation of this vulnerability may result in non-compliance with these common standards and regulations due to potential data breaches.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-8912. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart