CVSS: 7.1EPSS: 0%CPEs: 1EXPL: 0CVE-2023-28784 – WordPress Contest Gallery Plugin <= 21.1.2 is vulnerable to Cross Site Scripting (XSS)
https://notcve.org/view.php?id=CVE-2023-28784
27 Mar 2023 — Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Contest Gallery plugin <= 21.1.2 versions. The Contest Gallery plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via an unknown parameter in versions up to, and including, 21.1.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Unauth. • https://patchstack.com/database/vulnerability/contest-gallery/wordpress-contest-gallery-plugin-21-1-2-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 2EXPL: 2CVE-2022-4150 – Contest Gallery < 19.1.5 - Author+ SQL Injection
https://notcve.org/view.php?id=CVE-2022-4150
05 Dec 2022 — The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape the option_id POST parameter before concatenating it to an SQL query in order-custom-fields-with-and-without-search.php. This may allow malicious users with at least author privilege to leak sensitive information from the site's database. El complemento de WordPress Contest Gallery anterior a 19.1.5.1 y el complemento de WordPress de Contest Gallery Pro anterior a 19.1.5.1 no escapan del ... • https://bulletin.iese.de/post/contest-gallery_19-1-4-1_13 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 2CVE-2022-4153 – Contest Gallery < 19.1.5.1 - Author+ SQL Injection
https://notcve.org/view.php?id=CVE-2022-4153
05 Dec 2022 — The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape the upload[] POST parameter before concatenating it to an SQL query in get-data-create-upload-v10.php. This may allow malicious users with at least author privilege to leak sensitive information from the site's database. El complemento de WordPress Contest Gallery anterior a 19.1.5.1 y el complemento de WordPress de Contest Gallery Pro anterior a 19.1.5.1 no escapan del parámetro POST de ... • https://bulletin.iese.de/post/contest-gallery_19-1-4-1_7 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 2CVE-2022-4155 – Contest Gallery < 19.1.5 - Admin+ SQL Injection
https://notcve.org/view.php?id=CVE-2022-4155
05 Dec 2022 — The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape the wp_user_id GET parameter before concatenating it to an SQL query in management-show-user.php. This may allow malicious users with administrator privileges (i.e. on multisite WordPress configurations) to leak sensitive information from the site's database. El complemento de WordPress Contest Gallery anterior a 19.1.5.1 y el complemento de WordPress de Contest Gallery Pro anterior a 19.... • https://bulletin.iese.de/post/contest-gallery_19-1-4-1_6 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 2CVE-2022-4157 – Contest Gallery < 19.1.5 - Admin+ SQL Injection
https://notcve.org/view.php?id=CVE-2022-4157
05 Dec 2022 — The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape the cg_option_id POST parameter before concatenating it to an SQL query in export-votes-all.php. This may allow malicious users with administrator privileges (i.e. on multisite WordPress configurations) to leak sensitive information from the site's database. El complemento Contest Gallery de WordPress anterior a 19.1.5.1 y el complemento de WordPress de Contest Gallery Pro anterior a 19.1... • https://bulletin.iese.de/post/contest-gallery_19-1-4-1_3 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 8.1EPSS: 0%CPEs: 2EXPL: 2CVE-2022-4158 – Contest Gallery < 19.1.5 - Unauthenticated SQL Injection
https://notcve.org/view.php?id=CVE-2022-4158
05 Dec 2022 — The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape the cg_Fields POST parameter before concatenating it to an SQL query in users-registry-check-registering-and-login.php. This may allow malicious visitors to leak sensitive information from the site's database. El complemento de WordPress Contest Gallery anterior a 19.1.5.1 y el complemento de WordPress de Contest Gallery Pro anterior a 19.1.5.1 no escapan del parámetro POST cg_Fields ante... • https://bulletin.iese.de/post/contest-gallery_19-1-4-1_15 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 2CVE-2022-4165 – Contest Gallery < 19.1.5 - Author+ SQL Injection
https://notcve.org/view.php?id=CVE-2022-4165
05 Dec 2022 — The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape the cg_order POST parameter before concatenating it to an SQL query in order-custom-fields-with-and-without-search.php. This may allow malicious users with at least author privilege to leak sensitive information from the site's database. El complemento Contest Gallery de WordPress anterior a 19.1.5.1 y el complemento de WordPress de Contest Gallery Pro anterior a 19.1.5.1 no escapan del p... • https://bulletin.iese.de/post/contest-gallery_19-1-4-1_17 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 2CVE-2022-4166 – Contest Gallery < 19.1.5 - Author+ SQL Injection
https://notcve.org/view.php?id=CVE-2022-4166
05 Dec 2022 — The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape the addCountS POST parameter before concatenating it to an SQL query in 4_activate.php. This may allow malicious users with at least author privilege to leak sensitive information from the site's database. El complemento Contest Gallery de WordPress anterior a 19.1.5.1 y el complemento de WordPress de Contest Gallery Pro anterior a 19.1.5.1 no escapan del parámetro addCountS POST antes de... • https://bulletin.iese.de/post/contest-gallery_19-1-4-1_12 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 2CVE-2022-4152 – Contest Gallery < 19.1.5 - Author+ SQL Injection
https://notcve.org/view.php?id=CVE-2022-4152
05 Dec 2022 — The Contest Gallery WordPress plugin before 19.1.5, Contest Gallery Pro WordPress plugin before 19.1.5 do not escape the option_id POST parameter before concatenating it to an SQL query in edit-options.php. This may allow malicious users with at least author privilege to leak sensitive information from the site's database. El complemento de WordPress Contest Gallery anterior a 19.1.5 y el complemento de WordPress de Contest Gallery Pro anterior a 19.1.5 no escapan del parámetro POST option_id antes de conca... • https://bulletin.iese.de/post/contest-gallery_19-1-4-1_4 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.6EPSS: 0%CPEs: 1EXPL: 2CVE-2022-4154 – Contest Gallery Pro < 19.1.5 - Admin+ SQL Injection
https://notcve.org/view.php?id=CVE-2022-4154
05 Dec 2022 — The Contest Gallery Pro WordPress plugin before 19.1.5 does not escape the wp_user_id GET parameter before concatenating it to an SQL query in management-show-user.php. This may allow malicious users with at administrator privileges (i.e. on multisite WordPress configurations) to leak sensitive information from the site's database. El complemento Contest Gallery Pro de WordPress anterior a 19.1.5 no escapa del parámetro GET wp_user_id antes de concatenarlo a una consulta SQL en management-show-user.php. Est... • https://bulletin.iese.de/post/contest-gallery_19-1-4-1_5 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •