CVE-2021-24915
published 2021-11-29CVE-2021-24915: The Contest Gallery WordPress plugin before 13.1.0.6 does not have capability checks and does not sanitise or escape the cg-search-user-name-original parameter…
PriorityP179critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
12.70%
95.8th percentile
The Contest Gallery WordPress plugin before 13.1.0.6 does not have capability checks and does not sanitise or escape the cg-search-user-name-original parameter before using it in a SQL statement when exporting users from a gallery, which could allow unauthenticated to perform SQL injections attacks, as well as get the list of all users registered on the blog, including their username and email address
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| contest_gallery | contest_gallery | < 13.1.0.6 | 13.1.0.6 |
Detection & IOCsextracted from sources · hover to see the quote
commandcg-search-user-name=&cg-search-user-name-original=%27%20UNION%20ALL%20SELECT%20NULL%2CCONCAT%280x717a6b7871%2CIFNULL%28CAST%28VERSION%28%29%20AS%20NCHAR%29%2C0x20%29%2C0x716b707871%29%2CNULL--%20-&cg_create_user_data_csv_new_export=true&cg-search-gallery-id-original=&cg-search-gallery-id=&cg_create_user_data_csv=true↗
bytes↗
0x717a6b7871 / 0x716b707871
- →Look for POST requests to /wp-admin/admin.php with query parameters page=contest-gallery/index.php, users_management=true, and a body containing cg-search-user-name-original with SQL injection payloads (e.g., UNION SELECT, single quotes, hex-encoded strings). ↗
- →Detect responses containing all three CSV field headers 'WpUserId', 'Username', and 'Usermail' together with a Content-Type of text/csv — this indicates successful data exfiltration via the SQLi. ↗
- →Flag HTTP responses with Content-Type header containing 'text/csv' and 'filename=' in combination with a 200 status code on the contest-gallery admin endpoint, as this indicates a successful user data CSV export triggered by the exploit. ↗
- →Monitor for the presence of cg_create_user_data_csv=true and cg_create_user_data_csv_new_export=true POST body parameters alongside cg-search-user-name-original containing SQL metacharacters (quotes, UNION, SELECT) from unauthenticated sessions. ↗
- →Use Shodan/FOFA fingerprint query for exposed Contest Gallery installations as a pre-exploitation reconnaissance indicator. ↗
- ·The exploit requires no authentication (unauthenticated POST) — no session cookie or nonce is needed, meaning WAF/IDS rules should not restrict detection to authenticated sessions. ↗
- ·The vulnerable parameter is cg-search-user-name-original in the POST body; the plugin lacks both capability checks and input sanitisation/escaping on this parameter before passing it to a SQL statement. ↗
- ·The vulnerability is fixed in Contest Gallery version 13.1.0.6; detections should flag installations running versions prior to this. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-986q-37xh-j7h2: The Contest Gallery WordPress plugin before 13
ghsa_unreviewed·2021-11-30
CVE-2021-24915 [CRITICAL] CWE-862 GHSA-986q-37xh-j7h2: The Contest Gallery WordPress plugin before 13
The Contest Gallery WordPress plugin before 13.1.0.6 does not have capability checks and does not sanitise or escape the cg-search-user-name-original parameter before using it in a SQL statement when exporting users from a gallery, which could allow unauthenticated to perform SQL injections attacks, as well as get the list of all users registered on the blog, including their username and email address
VulnCheck
contest_gallery contest_gallery Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
vulncheck·2021·CVSS 9.8
CVE-2021-24915 [CRITICAL] contest_gallery contest_gallery Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
contest_gallery contest_gallery Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
The Contest Gallery WordPress plugin before 13.1.0.6 does not have capability checks and does not sanitise or escape the cg-search-user-name-original parameter before using it in a SQL statement when exporting users from a gallery, which could allow unauthenticated to perform SQL injections attacks, as well as get the list of all users registered on the blog, including their username and email address
Affected: contest_gallery contest_gallery
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honey
No detection rules found.
Nuclei
Contest Gallery < 13.1.0.6 - SQL injection
nuclei·CVSS 9.8
CVE-2021-24915 [CRITICAL] Contest Gallery < 13.1.0.6 - SQL injection
Contest Gallery < 13.1.0.6 - SQL injection
The plugin does not have capability checks and does not sanitise or escape the cg-search-user-name-original parameter before using it in a SQL statement when exporting users from a gallery, which could allow unauthenticated to perform SQL injections attacks, as well as get the list of all users registered on the blog, including their username and email address.
Template:
id: CVE-2021-24915
info:
name: Contest Gallery < 13.1.0.6 - SQL injection
author: r3Y3r53
severity: critical
description: |
The plugin does not have capability checks and does not sanitise or escape the cg-search-user-name-original parameter before using it in a SQL statement when exporting users from a gallery, which could allow unauthenticated to perform SQL injections attac
2021-11-29
Published
Exploited in the wild