CVE-2022-4166

CWE-89SQL Injection3 documents3 sources
Severity
6.5MEDIUM
EPSS
0.7%
top 27.05%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Unknown Contest GalleryUnknown Contest Gallery PROContest-gallery Contest Gallery
Timeline
PublishedDec 26

Description

The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape the addCountS POST parameter before concatenating it to an SQL query in 4_activate.php. This may allow malicious users with at least author privilege to leak sensitive information from the site's database.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages3 packages

CVEListV5unknown/contest_gallery< 19.1.5.1
CVEListV5unknown/contest_gallery_pro< 19.1.5.1

🔴Vulnerability Details

2
CVEList
Contest Gallery < 19.1.5 - Author+ SQL Injection2022-12-26
GHSA
GHSA-7hx6-3mh5-45rj: The Contest Gallery WordPress plugin before 192022-12-26
CVE-2022-4166 (MEDIUM CVSS 6.5) | The Contest Gallery WordPress plugi | cvebase.io