CVE-2026-12165
Deferred Deferred - Pending Action
Privilege Escalation in Contest Gallery WordPress Plugin

Publication date: 2026-06-17

Last updated on: 2026-06-17

Assigner: Wordfence

Description
The Contest Gallery – Upload & Vote Photos, Media, Sell with PayPal & Stripe plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 30.0.2 via the `RegistryUserRole` parameter. This is due to the plugin's admin menu being registered at the `edit_posts` capability level β€” granting Contributor-level users access to the plugin's admin pages and a valid `cg_admin` nonce β€” while the option-saving handler in `change-options-and-sizes.php` performs no `current_user_can()` capability check beyond `check_admin_referer('cg_admin')`, and the `RegistryUserRole` value is processed only through `sanitize_text_field()` and `htmlentities()` without restriction to an allowlist of permitted role names. This makes it possible for authenticated attackers, with author-level access and above, to overwrite the plugin's stored `RegistryUserRole` option with `administrator`, which the `cg_create_wp_user_from_google_user` function then reads back from the `contest_gal1ery_registry_and_login_options` database table without any allowlist validation and passes directly to `wp_update_user()`, effectively promoting a newly registered Google sign-in account to Administrator.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-17
Last Modified
2026-06-17
Generated
2026-06-17
AI Q&A
2026-06-17
EPSS Evaluated
N/A
NVD
CVE-2026-12165
EUVD
EUVD-2026-37586
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
contest_gallery upload_and_vote_photos_media_sell_with_paypal_and_stripe to 30.0.2 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-269 The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Impact Analysis

This vulnerability allows an authenticated user with author-level permissions or higher to escalate their privileges to Administrator. This means an attacker can gain full administrative control over the WordPress site, enabling them to modify site settings, install malicious plugins or themes, access sensitive data, and potentially compromise the entire website.

Executive Summary

The Contest Gallery plugin for WordPress has a privilege escalation vulnerability in versions up to 30.0.2. This occurs because the plugin's admin menu is accessible to users with Contributor-level permissions due to it being registered at the 'edit_posts' capability level. The plugin's option-saving handler does not properly check user capabilities beyond verifying a nonce, and it processes the 'RegistryUserRole' parameter without restricting it to allowed role names.

As a result, authenticated users with author-level access or higher can overwrite the stored 'RegistryUserRole' option with 'administrator'. When a Google sign-in account is registered, the plugin reads this role from the database without validation and updates the user role to Administrator, effectively promoting the attacker to an admin role.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-12165. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart