CVE-2022-4166

Published: Dec 26, 2022Modified: Apr 12, 2025

6.5

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Exploitability: 2.8 / Impact: 3.6

Source: NVD

Description

The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape the addCountS POST parameter before concatenating it to an SQL query in 4_activate.php. This may allow malicious users with at least author privilege to leak sensitive information from the site's database.

Affected (2)

Products: Contest Gallery: Contest Gallery

Contest Gallery

1 product

Contest Gallery

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Contest Gallery Contest Gallery	Before 19.1.5.1
Contest Gallery Contest Gallery	Before 19.1.5.1

References (4)

https://bulletin.iese.de/post/contest-gallery_19-1-4-1_12

Source: contact@wpscan.com

ExploitThird Party Advisory

https://wpscan.com/vulnerability/6e7de2bb-5f71-4c27-ae79-4f6b2ba7f86f

Source: contact@wpscan.com

ExploitThird Party Advisory

https://bulletin.iese.de/post/contest-gallery_19-1-4-1_12

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

https://wpscan.com/vulnerability/6e7de2bb-5f71-4c27-ae79-4f6b2ba7f86f

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

Timeline

No history available yet.