CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 2CVE-2022-4163 – Contest Gallery < 19.1.5 - Author+ SQL Injection
https://notcve.org/view.php?id=CVE-2022-4163
29 Nov 2022 — The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape the cg_deactivate and cg_activate POST parameters before concatenating it to an SQL query in 2_deactivate.php and 4_activate.php, respectively. This may allow malicious users with at least author privilege to leak sensitive information from the site's database. El complemento de WordPress Contest Gallery anterior a 19.1.5.1 y el complemento de WordPress de Contest Gallery Pro anterior a 1... • https://bulletin.iese.de/post/contest-gallery_19-1-4-1_10 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2022-45848 – WordPress Contest Gallery Plugin <= 13.1.0.9 is vulnerable to Cross Site Scripting (XSS)
https://notcve.org/view.php?id=CVE-2022-45848
23 Nov 2022 — Unauth. Stored Cross-Site Scripting (XSS) vulnerability in Contest Gallery plugin <= 13.1.0.9 on WordPress. Vulnerabilidad de Cross-Site Scripting (XSS)Almacenada No Autenticada en el complemento Contest Gallery <= 13.1.0.9 en WordPress. The Contest Gallery plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to, and including, 13.1.0.9 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web sc... • https://patchstack.com/database/vulnerability/contest-gallery/wordpress-contest-gallery-plugin-13-1-0-9-unauth-stored-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2022-36394 – WordPress Contest Gallery plugin <= 17.0.4 - Authenticated SQL Injection (SQLi) vulnerability
https://notcve.org/view.php?id=CVE-2022-36394
09 Aug 2022 — Authenticated (author+) SQL Injection (SQLi) vulnerability in Contest Gallery plugin <= 17.0.4 at WordPress. Una vulnerabilidad de Inyección SQL (SQLi) Autenticado (autor+) en el plugin Contest Gallery versiones anteriores a 17.0.4 incluyéndola, en WordPress. The Contest Gallery plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 17.0.4 due to insufficient escaping on the user supplied $id parameter and lack of sufficient preparation on the existing SQL query. This makes it... • https://patchstack.com/database/vulnerability/contest-gallery/wordpress-contest-gallery-plugin-17-0-4-authenticated-sql-injection-sqli-vulnerability • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2022-27853 – WordPress Contest Gallery plugin <= 13.1.0.9 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability
https://notcve.org/view.php?id=CVE-2022-27853
20 Dec 2021 — Authenticated (author or higher role) Stored Cross-Site Scripting (XSS) in Contest Gallery (WordPress plugin) <= 13.1.0.9 Una vulnerabilidad de tipo Cross-Site Scripting (XSS) Almacenado Autenticado (rol de autor o superior) en Contest Gallery (plugin de WordPress) versiones anteriores a 13.1.0.9 incluyéndola • https://patchstack.com/database/vulnerability/contest-gallery/wordpress-contest-gallery-plugin-13-1-0-9-authenticated-stored-cross-site-scripting-xss-vulnerability • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 82%CPEs: 1EXPL: 2CVE-2021-24915 – Contest Gallery < 13.1.0.6 - Missing Access Controls to Unauthenticated SQL injection / Email Address Disclosure
https://notcve.org/view.php?id=CVE-2021-24915
29 Nov 2021 — The Contest Gallery WordPress plugin before 13.1.0.6 does not have capability checks and does not sanitise or escape the cg-search-user-name-original parameter before using it in a SQL statement when exporting users from a gallery, which could allow unauthenticated to perform SQL injections attacks, as well as get the list of all users registered on the blog, including their username and email address El plugin Contest Gallery de WordPress versiones anteriores a 13.1.0.6, no presenta comprobaciones de capac... • https://gist.github.com/tpmiller87/6c05596fe27dd6f69f1aaba4cbb9c917 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2019-5974 – Contest Gallery – Photo Contest Plugin for WordPress <= 10.4.4 - Cross-Site Request Forgery
https://notcve.org/view.php?id=CVE-2019-5974
12 Jun 2019 — Cross-site request forgery (CSRF) vulnerability in Contest Gallery versions prior to 10.4.5 allows remote attackers to hijack the authentication of administrators via unspecified vectors. Una vulnerabilidad de tipo cross-site request forgery (CSRF) en Contest Gallery versiones anteriores a 10.4.5, permite a los atacantes remotos secuestrar la autenticación de administradores por medio de vectores no especificados. • https://jvn.jp/en/jp/JVN80925867/index.html • CWE-352: Cross-Site Request Forgery (CSRF) •