SQL Injection Vulnerability in Contest Gallery Plugin by WordPress
CVE-2026-8912

7.5HIGH

Key Information:

Vendor: WordPress
Status: Contest Gallery – Upload & Vote Photos, Media, Sell With Paypal & Stripe
Vendor: CVE Published:; 19 May 2026

What is CVE-2026-8912?

The Contest Gallery plugin for WordPress allows unauthenticated attackers to exploit an SQL injection vulnerability through the 'form_input' parameter. This issue arises from inadequate escaping of user-supplied data within the 'post_cg_gallery_form_upload' AJAX action, particularly in the 'cb' branch of the users-upload-check.php file. This endpoint is accessible with only a basic frontend nonce available in any public gallery page source, enabling attackers to manipulate SQL queries. By injecting additional commands, they can potentially retrieve sensitive data from the database, compromising the integrity and confidentiality of affected WordPress sites.

Affected Version(s)

Contest Gallery – Upload & Vote Photos, Media, Sell with PayPal & Stripe 0 <= 28.1.6

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/contest-galler...

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 19, 2026
Vulnerability Reserved
May 18, 2026

Credit

Leonid Semenenko

CVE-2026-8912 Data

JSON