WordPress Plugin Vulnerabilities

Contest Gallery < 17.0.5 - Author+ SQLi

Description

The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by users with a role as low as author

Affects Plugins

Plugin icon
contest-gallery
Fixed in 17.0.5

References

CVE
CVE-2022-36394

Classification

Type
SQLI
OWASP top 10
A1: Injection
CWE
CWE-89
CVSS
7.6 (high)

Miscellaneous

Original Researcher
Nguy Minh Tuan
Verified
No
WPVDB ID
cc25b06d-9eae-4144-8fcd-cc3ce0f1040d

Timeline

Publicly Published
2022-08-09 (about 3 years ago)
Added
2022-08-24 (about 3 years ago)
Last Updated
2022-08-24 (about 3 years ago)

Other

Published
Title
Published
2022-12-09
Title
WP RSS By Publishers <= 0.1 - Admin+ SQLi
Published
2025-07-10
Title
WPGYM - Wordpress Gym Management System < 67.8.0 - Unauthenticated SQL Injection
Published
2024-04-12
Title
Disable Comments | WPZest <= 1.51 - Authenticated (Administrator+) SQL Injection
Published
2017-04-10
Title
Calendar by WD <= 1.5.51 - Authenticated Blind SQL Injection
Published
2024-08-13
Title
Viral Signup <= 2.1 - Unauthenticated SQLi