cbcvebase.
CVE-2021-24915
published 2021-11-29

CVE-2021-24915: The Contest Gallery WordPress plugin before 13.1.0.6 does not have capability checks and does not sanitise or escape the cg-search-user-name-original parameter…

PriorityP179critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
12.70%
95.8th percentile
The Contest Gallery WordPress plugin before 13.1.0.6 does not have capability checks and does not sanitise or escape the cg-search-user-name-original parameter before using it in a SQL statement when exporting users from a gallery, which could allow unauthenticated to perform SQL injections attacks, as well as get the list of all users registered on the blog, including their username and email address

Affected

1 ranges
VendorProductVersion rangeFixed in
contest_gallerycontest_gallery< 13.1.0.613.1.0.6

Detection & IOCsextracted from sources · hover to see the quote

url/wp-admin/admin.php?page=contest-gallery/index.php&users_management=true&option_id=1
path/wp-content/plugins/contest-gallery/
commandcg-search-user-name=&cg-search-user-name-original=%27%20UNION%20ALL%20SELECT%20NULL%2CCONCAT%280x717a6b7871%2CIFNULL%28CAST%28VERSION%28%29%20AS%20NCHAR%29%2C0x20%29%2C0x716b707871%29%2CNULL--%20-&cg_create_user_data_csv_new_export=true&cg-search-gallery-id-original=&cg-search-gallery-id=&cg_create_user_data_csv=true
bytes
0x717a6b7871 / 0x716b707871
  • Look for POST requests to /wp-admin/admin.php with query parameters page=contest-gallery/index.php, users_management=true, and a body containing cg-search-user-name-original with SQL injection payloads (e.g., UNION SELECT, single quotes, hex-encoded strings).
  • Detect responses containing all three CSV field headers 'WpUserId', 'Username', and 'Usermail' together with a Content-Type of text/csv — this indicates successful data exfiltration via the SQLi.
  • Flag HTTP responses with Content-Type header containing 'text/csv' and 'filename=' in combination with a 200 status code on the contest-gallery admin endpoint, as this indicates a successful user data CSV export triggered by the exploit.
  • Monitor for the presence of cg_create_user_data_csv=true and cg_create_user_data_csv_new_export=true POST body parameters alongside cg-search-user-name-original containing SQL metacharacters (quotes, UNION, SELECT) from unauthenticated sessions.
  • Use Shodan/FOFA fingerprint query for exposed Contest Gallery installations as a pre-exploitation reconnaissance indicator.
  • ·The exploit requires no authentication (unauthenticated POST) — no session cookie or nonce is needed, meaning WAF/IDS rules should not restrict detection to authenticated sessions.
  • ·The vulnerable parameter is cg-search-user-name-original in the POST body; the plugin lacks both capability checks and input sanitisation/escaping on this parameter before passing it to a SQL statement.
  • ·The vulnerability is fixed in Contest Gallery version 13.1.0.6; detections should flag installations running versions prior to this.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.