CVE-2026-12165
Deferred Deferred - Pending Action

Privilege Escalation in Contest Gallery WordPress Plugin

Vulnerability report for CVE-2026-12165, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-17

Last updated on: 2026-06-17

Assigner: Wordfence

Description

The Contest Gallery – Upload & Vote Photos, Media, Sell with PayPal & Stripe plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 30.0.2 via the `RegistryUserRole` parameter. This is due to the plugin's admin menu being registered at the `edit_posts` capability level β€” granting Contributor-level users access to the plugin's admin pages and a valid `cg_admin` nonce β€” while the option-saving handler in `change-options-and-sizes.php` performs no `current_user_can()` capability check beyond `check_admin_referer('cg_admin')`, and the `RegistryUserRole` value is processed only through `sanitize_text_field()` and `htmlentities()` without restriction to an allowlist of permitted role names. This makes it possible for authenticated attackers, with author-level access and above, to overwrite the plugin's stored `RegistryUserRole` option with `administrator`, which the `cg_create_wp_user_from_google_user` function then reads back from the `contest_gal1ery_registry_and_login_options` database table without any allowlist validation and passes directly to `wp_update_user()`, effectively promoting a newly registered Google sign-in account to Administrator.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-17
Last Modified
2026-06-17
Generated
2026-07-08
AI Q&A
2026-06-17
EPSS Evaluated
2026-07-06
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
contest_gallery upload_and_vote_photos_media_sell_with_paypal_and_stripe to 30.0.2 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-269 The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Impact Analysis

This vulnerability allows an authenticated user with author-level permissions or higher to escalate their privileges to Administrator. This means an attacker can gain full administrative control over the WordPress site, enabling them to modify site settings, install malicious plugins or themes, access sensitive data, and potentially compromise the entire website.

Executive Summary

The Contest Gallery plugin for WordPress has a privilege escalation vulnerability in versions up to 30.0.2. This occurs because the plugin's admin menu is accessible to users with Contributor-level permissions due to it being registered at the 'edit_posts' capability level. The plugin's option-saving handler does not properly check user capabilities beyond verifying a nonce, and it processes the 'RegistryUserRole' parameter without restricting it to allowed role names.

As a result, authenticated users with author-level access or higher can overwrite the stored 'RegistryUserRole' option with 'administrator'. When a Google sign-in account is registered, the plugin reads this role from the database without validation and updates the user role to Administrator, effectively promoting the attacker to an admin role.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-12165. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart