Contest-Gallery Contest Gallery vulnerabilities
37 known vulnerabilities affecting contest-gallery/contest_gallery.
Total CVEs
37
CISA KEV
0
Public exploits
1
Exploited in wild
0
Severity breakdown
CRITICAL3HIGH9MEDIUM25
Vulnerabilities
Page 1 of 2
CVE-2025-3862MEDIUMCVSS 5.4fixed in 26.0.72025-05-08
CVE-2025-3862 [MEDIUM] CWE-79 CVE-2025-3862: Contest Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘id’ param
Contest Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘id’ parameter in all versions up to, and including, 26.0.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will
nvd
CVE-2025-1513MEDIUMCVSS 6.1fixed in 26.0.12025-02-28
CVE-2025-1513 [HIGH] CWE-79 CVE-2025-1513: The Photos, Files, YouTube, Twitter, Instagram, TikTok, Ecommerce Contest Gallery – Upload, Vote, Se
The Photos, Files, YouTube, Twitter, Instagram, TikTok, Ecommerce Contest Gallery – Upload, Vote, Sell via PayPal or Stripe, Social Share Buttons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Name and Comment field when commenting on photo gallery entries in all versions up to, and including, 26.0.0.1 due to insufficient input
nvd
CVE-2025-22693HIGHCVSS 7.2fixed in 25.1.22025-02-03
CVE-2025-22693 [HIGH] CWE-89 CVE-2025-22693: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability i
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Wasiliy Strecker / ContestGallery developer Contest Gallery contest-gallery allows SQL Injection.This issue affects Contest Gallery: from n/a through <= 25.1.0.
nvd
CVE-2024-56237MEDIUMCVSS 4.8fixed in 24.0.42025-01-02
CVE-2024-56237 [MEDIUM] CWE-79 CVE-2024-56237: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability i
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Wasiliy Strecker / ContestGallery developer Contest Gallery contest-gallery allows Stored XSS.This issue affects Contest Gallery: from n/a through <= 24.0.3.
nvd
CVE-2024-11103CRITICALCVSS 9.8fixed in 24.0.82024-11-28
CVE-2024-11103 [CRITICAL] CWE-640 CVE-2024-11103: The Contest Gallery plugin for WordPress is vulnerable to privilege escalation via account takeover
The Contest Gallery plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 24.0.7. This is due to the plugin not properly validating a user's identity prior to updating their password. This makes it possible for unauthenticated attackers to change arbitrary user's passwords, including a
nvd
CVE-2024-10687CRITICALCVSS 9.8fixed in 24.0.42024-11-05
CVE-2024-10687 [CRITICAL] CWE-89 CVE-2024-10687: The Photos, Files, YouTube, Twitter, Instagram, TikTok, Ecommerce Contest Gallery – Upload, Vote, Se
The Photos, Files, YouTube, Twitter, Instagram, TikTok, Ecommerce Contest Gallery – Upload, Vote, Sell via PayPal, Social Share Buttons plugin for WordPress is vulnerable to time-based SQL Injection via the $collectedIds parameter in all versions up to, and including, 24.0.3 due to insufficient escaping on the user supplied parameter and lack of su
nvd
CVE-2024-43283HIGHCVSS 7.5PoCfixed in 23.1.32024-08-26
CVE-2024-43283 [HIGH] CWE-201 CVE-2024-43283: Insertion of Sensitive Information Into Sent Data vulnerability in Wasiliy Strecker / ContestGallery
Insertion of Sensitive Information Into Sent Data vulnerability in Wasiliy Strecker / ContestGallery developer Contest Gallery contest-gallery.This issue affects Contest Gallery: from n/a through <= 23.1.2.
nvd
CVE-2024-39631MEDIUMCVSS 6.1fixed in 23.1.32024-08-01
CVE-2024-39631 [MEDIUM] CWE-79 CVE-2024-39631: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability i
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Wasiliy Strecker / ContestGallery developer Contest Gallery contest-gallery.This issue affects Contest Gallery: from n/a through <= 23.1.2.
nvd
CVE-2024-32778HIGHCVSS 8.1fixed in 21.3.52024-06-09
CVE-2024-32778 [HIGH] CWE-22 CVE-2024-32778: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Wasi
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Wasiliy Strecker / ContestGallery developer Contest Gallery contest-gallery.This issue affects Contest Gallery: from n/a through <= 21.3.4.
nvd
CVE-2024-30428MEDIUMCVSS 6.1fixed in 24.0.42024-03-29
CVE-2024-30428 [MEDIUM] CWE-79 CVE-2024-30428: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability i
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Wasiliy Strecker / ContestGallery developer Contest Gallery contest-gallery allows Reflected XSS.This issue affects Contest Gallery: from n/a through <= 24.0.3.
nvd
CVE-2024-30236CRITICALCVSS 9.9fixed in 21.3.52024-03-28
CVE-2024-30236 [CRITICAL] CWE-89 CVE-2024-30236: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability i
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Wasiliy Strecker / ContestGallery developer Contest Gallery contest-gallery.This issue affects Contest Gallery: from n/a through <= 21.3.4.
nvd
CVE-2024-30238HIGHCVSS 8.8fixed in 21.3.2.12024-03-27
CVE-2024-30238 [HIGH] CWE-89 CVE-2024-30238: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability i
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Wasiliy Strecker / ContestGallery developer Contest Gallery contest-gallery.This issue affects Contest Gallery: from n/a through <= 21.3.2.
nvd
CVE-2024-1487MEDIUMCVSS 5.4fixed in 21.3.12024-03-11
CVE-2024-1487 [MEDIUM] CWE-79 CVE-2024-1487: The Photos and Files Contest Gallery WordPress plugin before 21.3.1 does not sanitize and escape som
The Photos and Files Contest Gallery WordPress plugin before 21.3.1 does not sanitize and escape some parameters, which could allow users with a role as low as author to perform Cross-Site Scripting attacks.
nvd
CVE-2024-24887HIGHCVSS 8.8fixed in 21.2.92024-02-12
CVE-2024-24887 [MEDIUM] CWE-352 CVE-2024-24887: Cross-Site Request Forgery (CSRF) vulnerability in Contest Gallery Photos and Files Contest Gallery
Cross-Site Request Forgery (CSRF) vulnerability in Contest Gallery Photos and Files Contest Gallery – Contact Form, Upload Form, Social Share and Voting Plugin for WordPress.This issue affects Photos and Files Contest Gallery – Contact Form, Upload Form, Social Share and Voting Plugin for WordPress: from n/a through 21.2.8.4.
nvd
CVE-2023-5307MEDIUMCVSS 6.1fixed in 21.2.8.12023-10-31
CVE-2023-5307 [MEDIUM] CWE-79 CVE-2023-5307: The Photos and Files Contest Gallery WordPress plugin before 21.2.8.1 does not sanitise and escape s
The Photos and Files Contest Gallery WordPress plugin before 21.2.8.1 does not sanitise and escape some parameters, which could allow unauthenticated users to perform Cross-Site Scripting attacks via certain headers.
nvd
CVE-2023-28784MEDIUMCVSS 6.1≤ 21.1.22023-06-22
CVE-2023-28784 [HIGH] CWE-79 CVE-2023-28784: Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Contest Gallery plugin <= 21.1.2 versi
Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Contest Gallery plugin <= 21.1.2 versions.
nvd
CVE-2022-4156HIGHCVSS 7.5fixed in 19.1.5.12022-12-26
CVE-2022-4156 [HIGH] CWE-89 CVE-2022-4156: The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19
The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape the user_id POST parameter before concatenating it to an SQL query in ajax-functions-backend.php. This may allow malicious users with at least author privilege to leak sensitive information from the site's database.
nvd
CVE-2022-4158HIGHCVSS 7.5fixed in 19.1.5.12022-12-26
CVE-2022-4158 [HIGH] CWE-89 CVE-2022-4158: The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19
The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape the cg_Fields POST parameter before concatenating it to an SQL query in users-registry-check-registering-and-login.php. This may allow malicious visitors to leak sensitive information from the site's database.
nvd
CVE-2022-4165MEDIUMCVSS 6.5fixed in 19.1.5.12022-12-26
CVE-2022-4165 [MEDIUM] CWE-89 CVE-2022-4165: The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19
The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape the cg_order POST parameter before concatenating it to an SQL query in order-custom-fields-with-and-without-search.php. This may allow malicious users with at least author privilege to leak sensitive information from the site's datab
nvd
CVE-2022-4153MEDIUMCVSS 6.5fixed in 19.1.5.12022-12-26
CVE-2022-4153 [MEDIUM] CWE-89 CVE-2022-4153: The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19
The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape the upload[] POST parameter before concatenating it to an SQL query in get-data-create-upload-v10.php. This may allow malicious users with at least author privilege to leak sensitive information from the site's database.
nvd
1 / 2Next →