CVE-2026-3180 is a blind SQL Injection vulnerability classified under CWE-89, discovered in the WordPress plugin 'Contest Gallery – Upload & Vote Photos, Media, Sell with PayPal & Stripe'. The vulnerability arises from improper neutralization of special elements in SQL commands, specifically through the 'cgLostPasswordEmail' and 'cgl_mail' parameters. These parameters are insufficiently escaped and the SQL queries are not properly prepared, allowing unauthenticated attackers to append arbitrary SQL code. This can lead to unauthorized extraction of sensitive information from the backend database, such as user credentials or payment data. The vulnerability affects all plugin versions up to 28.1.4 for the 'cgLostPasswordEmail' parameter and up to 28.1.5 for the 'cgl_mail' parameter. The patches introduced in these versions address the issue by implementing proper input sanitization and prepared statements. The CVSS v3.1 base score is 7.5, reflecting high severity due to network attack vector, no required privileges or user interaction, and high confidentiality impact. No integrity or availability impacts are noted. No known exploits have been reported in the wild as of the publication date. The vulnerability was reserved on February 25, 2026, and published on March 2, 2026.

The primary impact of this vulnerability is the potential unauthorized disclosure of sensitive data stored in the WordPress site's database. This could include user personal information, authentication credentials, and payment transaction details processed via PayPal and Stripe integrations. As the plugin is used for uploading and voting on media, attackers could also gain insights into user activity and potentially leverage this information for further attacks such as phishing or account takeover. Since the vulnerability does not affect data integrity or availability, the risk is mainly confidentiality breach. However, the exposure of sensitive data can lead to reputational damage, regulatory penalties (e.g., GDPR violations), and financial losses for affected organizations. The ease of exploitation (no authentication or user interaction required) increases the threat level, especially for publicly accessible WordPress sites using this plugin. Organizations relying on this plugin for e-commerce or community engagement are particularly vulnerable.

Organizations should immediately update the 'Contest Gallery – Upload & Vote Photos, Media, Sell with PayPal & Stripe' plugin to version 28.1.5 or later, which contains patches for both vulnerable parameters. If immediate update is not possible, temporarily disabling the plugin or restricting access to affected parameters via web application firewall (WAF) rules can reduce exposure. Implementing strict input validation and employing prepared statements for all database queries in custom code is recommended to prevent similar vulnerabilities. Regularly auditing WordPress plugins for updates and vulnerabilities, and maintaining a robust patch management process, will help mitigate risks. Monitoring web server logs for suspicious SQL injection attempts targeting these parameters can provide early detection. Additionally, limiting database user permissions to only necessary operations can reduce the impact of potential exploitation.