CVE-2022-4151
MEDIUM WAF: High
CVSS 6.5
Published: 2022-12-26
CWE-89 CWE-89
The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape the option_id GET parameter before concatenating it to an SQL query in export-images-data.php. This may allow malicious users with at least author privilege to leak sensitive information from the site's database.
WAF Coverage Analysis
SQL Injection
High WAF Coverage
OWASP: A03:2021 Injection
942xxx - SQL Injection
SQL Injection
High WAF Coverage
OWASP: A03:2021 Injection
942xxx - SQL Injection
Affected Software
| Vendor | Product | Version |
|---|---|---|
| contest-gallery | contest_gallery | up to 19.1.5.1 |
| contest-gallery | contest_gallery | up to 19.1.5.1 |
References
- bulletin.iese.de (Exploit, Third Party Advisory)
- wpscan.com (Exploit, Third Party Advisory)