CVSS: 7.1EPSS: 0%CPEs: 1EXPL: 0CVE-2023-28784 – WordPress Contest Gallery Plugin <= 21.1.2 is vulnerable to Cross Site Scripting (XSS)
https://notcve.org/view.php?id=CVE-2023-28784
27 Mar 2023 — Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Contest Gallery plugin <= 21.1.2 versions. The Contest Gallery plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via an unknown parameter in versions up to, and including, 21.1.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Unauth. • https://patchstack.com/database/vulnerability/contest-gallery/wordpress-contest-gallery-plugin-21-1-2-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 2CVE-2022-4155 – Contest Gallery < 19.1.5 - Admin+ SQL Injection
https://notcve.org/view.php?id=CVE-2022-4155
05 Dec 2022 — The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape the wp_user_id GET parameter before concatenating it to an SQL query in management-show-user.php. This may allow malicious users with administrator privileges (i.e. on multisite WordPress configurations) to leak sensitive information from the site's database. El complemento de WordPress Contest Gallery anterior a 19.1.5.1 y el complemento de WordPress de Contest Gallery Pro anterior a 19.... • https://bulletin.iese.de/post/contest-gallery_19-1-4-1_6 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 2CVE-2022-4161 – Contest Gallery < 19.1.5 - Author+ SQL Injection
https://notcve.org/view.php?id=CVE-2022-4161
05 Dec 2022 — The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape the cg_copy_start POST parameter before concatenating it to an SQL query in copy-gallery-images.php. This may allow malicious users with at least author privilege to leak sensitive information from the site's database. El complemento Contest Gallery de WordPress anterior a 19.1.5.1, y el complemento Contest Gallery Pro de WordPress anterior a 19.1.5.1, no escapan el parámetro POST cg_copy... • https://bulletin.iese.de/post/contest-gallery_19-1-4-1_16 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 2CVE-2022-4164 – Contest Gallery < 19.1.5 - Author+ SQL Injection
https://notcve.org/view.php?id=CVE-2022-4164
05 Dec 2022 — The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape the cg_multiple_files_for_post POST parameter before concatenating it to an SQL query in 0_change-gallery.php. This may allow malicious users with at least author privilege to leak sensitive information from the site's database. El complemento Contest Gallery de WordPress anterior a 19.1.5.1 y el complemento de WordPress de Contest Gallery Pro anterior a 19.1.5.1 no escapan del parámetro ... • https://bulletin.iese.de/post/contest-gallery_19-1-4-1_11 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 2CVE-2022-4159 – Contest Gallery < 19.1.5.1 - Author+ SQL Injection
https://notcve.org/view.php?id=CVE-2022-4159
05 Dec 2022 — The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape the cg_id POST parameter before concatenating it to an SQL query in 0_change-gallery.php. This may allow malicious users with at least author privilege to leak sensitive information from the site's database. El complemento de WordPress Contest Gallery anterior a 19.1.5.1 y el complemento de WordPress de Contest Gallery Pro anterior a 19.1.5.1 no escapan del parámetro POST cg_id antes de c... • https://bulletin.iese.de/post/contest-gallery_19-1-4-1_8 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.6EPSS: 0%CPEs: 1EXPL: 2CVE-2022-4154 – Contest Gallery Pro < 19.1.5 - Admin+ SQL Injection
https://notcve.org/view.php?id=CVE-2022-4154
05 Dec 2022 — The Contest Gallery Pro WordPress plugin before 19.1.5 does not escape the wp_user_id GET parameter before concatenating it to an SQL query in management-show-user.php. This may allow malicious users with at administrator privileges (i.e. on multisite WordPress configurations) to leak sensitive information from the site's database. El complemento Contest Gallery Pro de WordPress anterior a 19.1.5 no escapa del parámetro GET wp_user_id antes de concatenarlo a una consulta SQL en management-show-user.php. Est... • https://bulletin.iese.de/post/contest-gallery_19-1-4-1_5 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 8.1EPSS: 1%CPEs: 2EXPL: 2CVE-2022-4156 – Contest Gallery < 19.1.5.1 - Unauthenticated SQL Injection
https://notcve.org/view.php?id=CVE-2022-4156
05 Dec 2022 — The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape the user_id POST parameter before concatenating it to an SQL query in ajax-functions-backend.php. This may allow malicious users with at least author privilege to leak sensitive information from the site's database. El complemento Contest Gallery de WordPress anterior a 19.1.5.1 y el complemento Contest Gallery Pro de WordPress anterior a 19.1.5.1 no escapan del parámetro POST user_id ant... • https://bulletin.iese.de/post/contest-gallery_19-1-4-1_1 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 2CVE-2022-4152 – Contest Gallery < 19.1.5 - Author+ SQL Injection
https://notcve.org/view.php?id=CVE-2022-4152
05 Dec 2022 — The Contest Gallery WordPress plugin before 19.1.5, Contest Gallery Pro WordPress plugin before 19.1.5 do not escape the option_id POST parameter before concatenating it to an SQL query in edit-options.php. This may allow malicious users with at least author privilege to leak sensitive information from the site's database. El complemento de WordPress Contest Gallery anterior a 19.1.5 y el complemento de WordPress de Contest Gallery Pro anterior a 19.1.5 no escapan del parámetro POST option_id antes de conca... • https://bulletin.iese.de/post/contest-gallery_19-1-4-1_4 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 8.8EPSS: 0%CPEs: 2EXPL: 2CVE-2022-4150 – Contest Gallery < 19.1.5 - Author+ SQL Injection
https://notcve.org/view.php?id=CVE-2022-4150
05 Dec 2022 — The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape the option_id POST parameter before concatenating it to an SQL query in order-custom-fields-with-and-without-search.php. This may allow malicious users with at least author privilege to leak sensitive information from the site's database. El complemento de WordPress Contest Gallery anterior a 19.1.5.1 y el complemento de WordPress de Contest Gallery Pro anterior a 19.1.5.1 no escapan del ... • https://bulletin.iese.de/post/contest-gallery_19-1-4-1_13 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 2CVE-2022-4162 – Contest Gallery < 19.1.5 - Author+ SQL Injection
https://notcve.org/view.php?id=CVE-2022-4162
05 Dec 2022 — The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape the cg_row POST parameter before concatenating it to an SQL query in 3_row-order.php. This may allow malicious users with at least author privilege to leak sensitive information from the site's database. El complemento de WordPress Contest Gallery anterior a 19.1.5.1 y el complemento de WordPress de Contest Gallery Pro anterior a 19.1.5.1 no escapan del parámetro POST cg_row antes de conc... • https://bulletin.iese.de/post/contest-gallery_19-1-4-1_9 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •