Blind SQL Injection in Contest Gallery Plugin for WordPress

CVE-2026-3180

What is CVE-2026-3180?

CVE-2026-3180 is a vulnerability in the Contest Gallery plugin for WordPress, which serves as a platform for users to upload and vote on photos and media, as well as transact using PayPal and Stripe. This specific vulnerability involves a blind SQL injection due to inadequate escaping of user-supplied parameters in the SQL queries processed by the plugin. Attackers can exploit this flaw via the cgLostPasswordEmail and cgl_mail parameters, allowing them to insert malicious SQL queries into existing commands. Such exploits could enable unauthorized individuals to gain access to sensitive database information, potentially compromising user data and exposing the organization to severe security risks.

Potential impact of CVE-2026-3180

1. Data Breach Risk: The vulnerability allows attackers to execute arbitrary SQL queries, which may lead to unauthorized access to sensitive data within the database, including user credentials, personal information, and other confidential data.

2. Integrity Compromise: The ability to manipulate database queries can also lead to data integrity issues, where attackers could modify or delete critical information, undermining the trustworthiness of the application and its data.

3. Reputation Damage: An exploitation of this vulnerability may result in a data breach that affects users, leading to potential loss of customer trust and confidence, ultimately harming the organization’s reputation and market standing.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch →

References