CVE-2026-8912

WordPress · Contest Gallery Plugin

The Contest Gallery plugin for WordPress is vulnerable to SQL injection via the 'form_input' parameter.

Executive summary

An SQL injection vulnerability in the Contest Gallery plugin for WordPress allows unauthenticated attackers to execute arbitrary database queries and potentially compromise site data.

Vulnerability

This is an SQL injection vulnerability located in the 'form_input' parameter, which fails to properly sanitize user-supplied input. This flaw is exploitable by unauthenticated attackers, allowing them to manipulate database queries directly.

Business impact

Successful exploitation can result in unauthorized access to the WordPress database, potentially leading to data theft, modification, or administrative account takeover. With a CVSS score of 7.5, this vulnerability represents a high risk to the confidentiality and integrity of the entire web application.

Remediation

Immediate Action: Update the Contest Gallery plugin to the latest available version provided by the developer. If no patch is available, deactivate and remove the plugin immediately until a secure version is released.

Proactive Monitoring: Examine server and database logs for suspicious SQL syntax, such as "UNION SELECT" or other common injection patterns, directed toward the plugin.

Compensating Controls: Implement a Web Application Firewall (WAF) with rules configured to block common SQL injection patterns to provide virtual patching.

Exploitation status

Public Exploit Available: false

Analyst recommendation

SQL injection is a critical vulnerability that can lead to total site compromise. Administrators should audit all active plugins and ensure that any component identified as vulnerable is updated or removed from the production environment immediately to mitigate exposure.