CVE-2026-8912
WordPress · Contest Gallery Plugin
The Contest Gallery plugin for WordPress is vulnerable to SQL injection via the 'form_input' parameter.
Executive summary
An SQL injection vulnerability in the Contest Gallery plugin for WordPress allows unauthenticated attackers to execute arbitrary database queries and potentially compromise site data.
Vulnerability
This is an SQL injection vulnerability located in the 'form_input' parameter, which fails to properly sanitize user-supplied input. This flaw is exploitable by unauthenticated attackers, allowing them to manipulate database queries directly.
Business impact
Successful exploitation can result in unauthorized access to the WordPress database, potentially leading to data theft, modification, or administrative account takeover. With a CVSS score of 7.5, this vulnerability represents a high risk to the confidentiality and integrity of the entire web application.
Remediation
Immediate Action: Update the Contest Gallery plugin to the latest available version provided by the developer. If no patch is available, deactivate and remove the plugin immediately until a secure version is released.
Proactive Monitoring: Examine server and database logs for suspicious SQL syntax, such as "UNION SELECT" or other common injection patterns, directed toward the plugin.
Compensating Controls: Implement a Web Application Firewall (WAF) with rules configured to block common SQL injection patterns to provide virtual patching.
Exploitation status
Public Exploit Available: false
Analyst recommendation
SQL injection is a critical vulnerability that can lead to total site compromise. Administrators should audit all active plugins and ensure that any component identified as vulnerable is updated or removed from the production environment immediately to mitigate exposure.