cbcvebase.

Contest-Gallery Contest Gallery vulnerabilities

37 known vulnerabilities affecting contest-gallery/contest_gallery.

Total CVEs
37
CISA KEV
0
Public exploits
1
Exploited in wild
3
Severity breakdown
CRITICAL3HIGH9MEDIUM25

Vulnerabilities

Page 1 of 2
CVE-2024-43283P2HIGHCVSS 7.5ExploitedPoCfixed in 23.1.32024-08-26
CVE-2024-43283 [HIGH] CWE-201 CVE-2024-43283: Insertion of Sensitive Information Into Sent Data vulnerability in Wasiliy Strecker / ContestGallery Insertion of Sensitive Information Into Sent Data vulnerability in Wasiliy Strecker / ContestGallery developer Contest Gallery contest-gallery.This issue affects Contest Gallery: from n/a through <= 23.1.2.
nvd
CVE-2024-39631P2MEDIUMCVSS 6.1Exploitedfixed in 23.1.32024-08-01
CVE-2024-39631 [MEDIUM] CWE-79 CVE-2024-39631: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability i Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Wasiliy Strecker / ContestGallery developer Contest Gallery contest-gallery.This issue affects Contest Gallery: from n/a through <= 23.1.2.
nvd
CVE-2024-32778P2HIGHCVSS 8.1Exploitedfixed in 21.3.52024-06-09
CVE-2024-32778 [HIGH] CWE-22 CVE-2024-32778: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Wasi Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Wasiliy Strecker / ContestGallery developer Contest Gallery contest-gallery.This issue affects Contest Gallery: from n/a through <= 21.3.4.
nvd
CVE-2024-11103P2CRITICALCVSS 9.8fixed in 24.0.82024-11-28
CVE-2024-11103 [CRITICAL] CWE-640 CVE-2024-11103: The Contest Gallery plugin for WordPress is vulnerable to privilege escalation via account takeover The Contest Gallery plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 24.0.7. This is due to the plugin not properly validating a user's identity prior to updating their password. This makes it possible for unauthenticated attackers to change arbitrary user's passwords, including a
nvd
CVE-2024-30236P2CRITICALCVSS 9.9fixed in 21.3.52024-03-28
CVE-2024-30236 [CRITICAL] CWE-89 CVE-2024-30236: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability i Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Wasiliy Strecker / ContestGallery developer Contest Gallery contest-gallery.This issue affects Contest Gallery: from n/a through <= 21.3.4.
nvd
CVE-2024-10687P3CRITICALCVSS 9.8fixed in 24.0.42024-11-05
CVE-2024-10687 [CRITICAL] CWE-89 CVE-2024-10687: The Photos, Files, YouTube, Twitter, Instagram, TikTok, Ecommerce Contest Gallery – Upload, Vote, Se The Photos, Files, YouTube, Twitter, Instagram, TikTok, Ecommerce Contest Gallery – Upload, Vote, Sell via PayPal, Social Share Buttons plugin for WordPress is vulnerable to time-based SQL Injection via the $collectedIds parameter in all versions up to, and including, 24.0.3 due to insufficient escaping on the user supplied parameter and lack of su
nvd
CVE-2024-30238P3HIGHCVSS 8.8fixed in 21.3.2.12024-03-27
CVE-2024-30238 [HIGH] CWE-89 CVE-2024-30238: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability i Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Wasiliy Strecker / ContestGallery developer Contest Gallery contest-gallery.This issue affects Contest Gallery: from n/a through <= 21.3.2.
nvd
CVE-2022-36394P3HIGHCVSS 8.8≤ 17.0.42022-08-23
CVE-2022-36394 [HIGH] CWE-89 CVE-2022-36394: Authenticated (author+) SQL Injection (SQLi) vulnerability in Contest Gallery plugin <= 17.0.4 at Wo Authenticated (author+) SQL Injection (SQLi) vulnerability in Contest Gallery plugin <= 17.0.4 at WordPress.
nvd
CVE-2024-24887P3HIGHCVSS 8.8fixed in 21.2.92024-02-12
CVE-2024-24887 [HIGH] CWE-352 CVE-2024-24887: Cross-Site Request Forgery (CSRF) vulnerability in Contest Gallery Photos and Files Contest Gallery Cross-Site Request Forgery (CSRF) vulnerability in Contest Gallery Photos and Files Contest Gallery – Contact Form, Upload Form, Social Share and Voting Plugin for WordPress.This issue affects Photos and Files Contest Gallery – Contact Form, Upload Form, Social Share and Voting Plugin for WordPress: from n/a through 21.2.8.4.
nvd
CVE-2022-4156P3HIGHCVSS 7.5fixed in 19.1.5.12022-12-26
CVE-2022-4156 [HIGH] CWE-89 CVE-2022-4156: The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19 The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape the user_id POST parameter before concatenating it to an SQL query in ajax-functions-backend.php. This may allow malicious users with at least author privilege to leak sensitive information from the site's database.
nvd
CVE-2025-22693P3HIGHCVSS 7.2fixed in 25.1.22025-02-03
CVE-2025-22693 [HIGH] CWE-89 CVE-2025-22693: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability i Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Wasiliy Strecker / ContestGallery developer Contest Gallery contest-gallery allows SQL Injection.This issue affects Contest Gallery: from n/a through <= 25.1.0.
nvd
CVE-2022-4158P3HIGHCVSS 7.5fixed in 19.1.5.12022-12-26
CVE-2022-4158 [HIGH] CWE-89 CVE-2022-4158: The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19 The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape the cg_Fields POST parameter before concatenating it to an SQL query in users-registry-check-registering-and-login.php. This may allow malicious visitors to leak sensitive information from the site's database.
nvd
CVE-2019-5974P3HIGHCVSS 8.8fixed in 10.4.5vversions prior to 10.4.52019-07-05
CVE-2019-5974 [HIGH] CWE-352 CVE-2019-5974: Cross-site request forgery (CSRF) vulnerability in Contest Gallery versions prior to 10.4.5 allows r Cross-site request forgery (CSRF) vulnerability in Contest Gallery versions prior to 10.4.5 allows remote attackers to hijack the authentication of administrators via unspecified vectors.
nvd
CVE-2022-4153P3MEDIUMCVSS 6.5fixed in 19.1.5.12022-12-26
CVE-2022-4153 [MEDIUM] CWE-89 CVE-2022-4153: The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19 The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape the upload[] POST parameter before concatenating it to an SQL query in get-data-create-upload-v10.php. This may allow malicious users with at least author privilege to leak sensitive information from the site's database.
nvd
CVE-2022-4164P3MEDIUMCVSS 6.5fixed in 19.1.5.12022-12-26
CVE-2022-4164 [MEDIUM] CWE-89 CVE-2022-4164: The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19 The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape the cg_multiple_files_for_post POST parameter before concatenating it to an SQL query in 0_change-gallery.php. This may allow malicious users with at least author privilege to leak sensitive information from the site's database.
nvd
CVE-2022-4163P3MEDIUMCVSS 6.5fixed in 19.1.5.12022-12-26
CVE-2022-4163 [MEDIUM] CWE-89 CVE-2022-4163: The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19 The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape the cg_deactivate and cg_activate POST parameters before concatenating it to an SQL query in 2_deactivate.php and 4_activate.php, respectively. This may allow malicious users with at least author privilege to leak sensitive informati
nvd
CVE-2022-4161P3MEDIUMCVSS 6.5fixed in 19.1.5.12022-12-26
CVE-2022-4161 [MEDIUM] CWE-89 CVE-2022-4161: The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19 The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape the cg_copy_start POST parameter before concatenating it to an SQL query in copy-gallery-images.php. This may allow malicious users with at least author privilege to leak sensitive information from the site's database.
nvd
CVE-2022-4151P3MEDIUMCVSS 6.5fixed in 19.1.5.12022-12-26
CVE-2022-4151 [MEDIUM] CWE-89 CVE-2022-4151: The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19 The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape the option_id GET parameter before concatenating it to an SQL query in export-images-data.php. This may allow malicious users with at least author privilege to leak sensitive information from the site's database.
nvd
CVE-2022-4160P3MEDIUMCVSS 6.5fixed in 19.1.5.12022-12-26
CVE-2022-4160 [MEDIUM] CWE-89 CVE-2022-4160: The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19 The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape the cg_copy_id POST parameter before concatenating it to an SQL query in cg-copy-comments.php and cg-copy-rating.php. This may allow malicious users with at least author privilege to leak sensitive information from the site's databas
nvd
CVE-2022-4165P3MEDIUMCVSS 6.5fixed in 19.1.5.12022-12-26
CVE-2022-4165 [MEDIUM] CWE-89 CVE-2022-4165: The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19 The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape the cg_order POST parameter before concatenating it to an SQL query in order-custom-fields-with-and-without-search.php. This may allow malicious users with at least author privilege to leak sensitive information from the site's datab
nvd
Contest-Gallery Contest Gallery vulnerabilities | cvebase