cbcvebase.

Contest-Gallery Contest Gallery vulnerabilities

37 known vulnerabilities affecting contest-gallery/contest_gallery.

Total CVEs
37
CISA KEV
0
Public exploits
1
Exploited in wild
3
Severity breakdown
CRITICAL3HIGH9MEDIUM25

Vulnerabilities

Page 2 of 2
CVE-2022-4162P3MEDIUMCVSS 6.5fixed in 19.1.5.12022-12-26
CVE-2022-4162 [MEDIUM] CWE-89 CVE-2022-4162: The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19 The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape the cg_row POST parameter before concatenating it to an SQL query in 3_row-order.php. This may allow malicious users with at least author privilege to leak sensitive information from the site's database.
nvd
CVE-2022-4150P3MEDIUMCVSS 6.5fixed in 19.1.5.12022-12-26
CVE-2022-4150 [MEDIUM] CWE-89 CVE-2022-4150: The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19 The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape the option_id POST parameter before concatenating it to an SQL query in order-custom-fields-with-and-without-search.php. This may allow malicious users with at least author privilege to leak sensitive information from the site's data
nvd
CVE-2022-4152P3MEDIUMCVSS 6.5fixed in 19.1.5.12022-12-26
CVE-2022-4152 [MEDIUM] CWE-89 CVE-2022-4152: The Contest Gallery WordPress plugin before 19.1.5, Contest Gallery Pro WordPress plugin before 19.1 The Contest Gallery WordPress plugin before 19.1.5, Contest Gallery Pro WordPress plugin before 19.1.5 do not escape the option_id POST parameter before concatenating it to an SQL query in edit-options.php. This may allow malicious users with at least author privilege to leak sensitive information from the site's database.
nvd
CVE-2022-4166P3MEDIUMCVSS 6.5fixed in 19.1.5.12022-12-26
CVE-2022-4166 [MEDIUM] CWE-89 CVE-2022-4166: The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19 The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape the addCountS POST parameter before concatenating it to an SQL query in 4_activate.php. This may allow malicious users with at least author privilege to leak sensitive information from the site's database.
nvd
CVE-2022-4159P3MEDIUMCVSS 6.5fixed in 19.1.5.12022-12-26
CVE-2022-4159 [MEDIUM] CWE-89 CVE-2022-4159: The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19 The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape the cg_id POST parameter before concatenating it to an SQL query in 0_change-gallery.php. This may allow malicious users with at least author privilege to leak sensitive information from the site's database.
nvd
CVE-2025-1513P4MEDIUMCVSS 6.1fixed in 26.0.12025-02-28
CVE-2025-1513 [MEDIUM] CWE-79 CVE-2025-1513: The Photos, Files, YouTube, Twitter, Instagram, TikTok, Ecommerce Contest Gallery – Upload, Vote, Se The Photos, Files, YouTube, Twitter, Instagram, TikTok, Ecommerce Contest Gallery – Upload, Vote, Sell via PayPal or Stripe, Social Share Buttons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Name and Comment field when commenting on photo gallery entries in all versions up to, and including, 26.0.0.1 due to insufficient inp
nvd
CVE-2022-4154P4MEDIUMCVSS 4.9fixed in 19.1.5.12022-12-26
CVE-2022-4154 [MEDIUM] CWE-89 CVE-2022-4154: The Contest Gallery Pro WordPress plugin before 19.1.5 does not escape the wp_user_id GET parameter The Contest Gallery Pro WordPress plugin before 19.1.5 does not escape the wp_user_id GET parameter before concatenating it to an SQL query in management-show-user.php. This may allow malicious users with at administrator privileges (i.e. on multisite WordPress configurations) to leak sensitive information from the site's database.
nvd
CVE-2022-4157P4MEDIUMCVSS 4.9fixed in 19.1.5.12022-12-26
CVE-2022-4157 [MEDIUM] CWE-89 CVE-2022-4157: The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19 The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape the cg_option_id POST parameter before concatenating it to an SQL query in export-votes-all.php. This may allow malicious users with administrator privileges (i.e. on multisite WordPress configurations) to leak sensitive information
nvd
CVE-2022-4155P4MEDIUMCVSS 4.9fixed in 19.1.5.12022-12-26
CVE-2022-4155 [MEDIUM] CWE-89 CVE-2022-4155: The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19 The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape the wp_user_id GET parameter before concatenating it to an SQL query in management-show-user.php. This may allow malicious users with administrator privileges (i.e. on multisite WordPress configurations) to leak sensitive information
nvd
CVE-2023-5307P4MEDIUMCVSS 6.1fixed in 21.2.8.12023-10-31
CVE-2023-5307 [MEDIUM] CWE-79 CVE-2023-5307: The Photos and Files Contest Gallery WordPress plugin before 21.2.8.1 does not sanitise and escape s The Photos and Files Contest Gallery WordPress plugin before 21.2.8.1 does not sanitise and escape some parameters, which could allow unauthenticated users to perform Cross-Site Scripting attacks via certain headers.
nvd
CVE-2022-45848P4MEDIUMCVSS 6.1≤ 13.1.0.92022-12-06
CVE-2022-45848 [MEDIUM] CWE-79 CVE-2022-45848: Unauth. Stored Cross-Site Scripting (XSS) vulnerability in Contest Gallery plugin <= 13.1.0.9 on Wor Unauth. Stored Cross-Site Scripting (XSS) vulnerability in Contest Gallery plugin <= 13.1.0.9 on WordPress.
nvd
CVE-2024-1487P4MEDIUMCVSS 5.4fixed in 21.3.12024-03-11
CVE-2024-1487 [MEDIUM] CWE-79 CVE-2024-1487: The Photos and Files Contest Gallery WordPress plugin before 21.3.1 does not sanitize and escape som The Photos and Files Contest Gallery WordPress plugin before 21.3.1 does not sanitize and escape some parameters, which could allow users with a role as low as author to perform Cross-Site Scripting attacks.
nvd
CVE-2025-3862P4MEDIUMCVSS 5.4fixed in 26.0.72025-05-08
CVE-2025-3862 [MEDIUM] CWE-79 CVE-2025-3862: Contest Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘id’ param Contest Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘id’ parameter in all versions up to, and including, 26.0.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will
nvd
CVE-2024-30428P4MEDIUMCVSS 6.1fixed in 24.0.42024-03-29
CVE-2024-30428 [MEDIUM] CWE-79 CVE-2024-30428: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability i Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Wasiliy Strecker / ContestGallery developer Contest Gallery contest-gallery allows Reflected XSS.This issue affects Contest Gallery: from n/a through <= 24.0.3.
nvd
CVE-2023-28784P4MEDIUMCVSS 6.1≤ 21.1.22023-06-22
CVE-2023-28784 [MEDIUM] CWE-79 CVE-2023-28784: Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Contest Gallery plugin <= 21.1.2 versi Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Contest Gallery plugin <= 21.1.2 versions.
nvd
CVE-2022-27853P4MEDIUMCVSS 4.8≤ 13.1.0.92022-04-18
CVE-2022-27853 [MEDIUM] CWE-79 CVE-2022-27853: Authenticated (author or higher role) Stored Cross-Site Scripting (XSS) in Contest Gallery (WordPres Authenticated (author or higher role) Stored Cross-Site Scripting (XSS) in Contest Gallery (WordPress plugin) <= 13.1.0.9
nvd
CVE-2024-56237P4MEDIUMCVSS 4.8fixed in 24.0.42025-01-02
CVE-2024-56237 [MEDIUM] CWE-79 CVE-2024-56237: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability i Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Wasiliy Strecker / ContestGallery developer Contest Gallery contest-gallery allows Stored XSS.This issue affects Contest Gallery: from n/a through <= 24.0.3.
nvd
Contest-Gallery Contest Gallery vulnerabilities | cvebase