WordPress Contest Gallery 28.1.4 - Unauthenticated Blind SQL Injection

Exploit Title: WordPress Contest Gallery 28.1.4 - Unauthenticated Blind SQL Injection Google Dork: N/A Date: 2026-06-02 Exploit Author: cardosource Vendor Homepage: https://contest-gallery.com/ Software Link: https://wordpress.org/plugins/contest-gallery/ Version: getrow without proper...

📄 WordPress Contest Gallery 28.1.4 SQL Injection

WordPress Contest Gallery plugin versions 28.1.4 and below suffer from a remote SQL injection vulnerability. Exploit Title: WordPress Contest Gallery 28.1.4 - Unauthenticated Blind SQL Injection Tested on: Docker - PHP 8.2/Apache + MariaDB WordPress Environment CVE: 2026-3180 """ Description A...

CVE-2026-3180

The Contest Gallery – Upload & Vote Photos, Media, Sell with PayPal & Stripe plugin for WordPress is vulnerable to blind SQL Injection via the ‘cgLostPasswordEmail’ and the ’cglmail’ parameter in all versions up to, and including, 28.1.4 due to insufficient escaping on the user supplied parameter...

CVE-2026-3180

The Contest Gallery – Upload & Vote Photos, Media, Sell with PayPal & Stripe plugin for WordPress is vulnerable to blind SQL Injection via the ‘cgLostPasswordEmail’ and the ’cglmail’ parameter in all versions up to, and including, 28.1.4 due to insufficient escaping on the user supplied parameter...

EUVD-2026-9223

The Contest Gallery – Upload & Vote Photos, Media, Sell with PayPal & Stripe plugin for WordPress is vulnerable to blind SQL Injection via the ‘cgLostPasswordEmail’ and the ’cglmail’ parameter in all versions up to, and including, 28.1.4 due to insufficient escaping on the user supplied parameter...

PT-2026-22660

Name of the Vulnerable Software and Affected Versions The Contest Gallery – Upload & Vote Photos, Media, Sell with PayPal & Stripe plugin for WordPress versions through 28.1.4 Description The software is susceptible to a blind SQL Injection issue due to inadequate escaping of user-supplied...

EUVD-2004-1561

Malware in sbrugna...

EUVD-2006-3382

Malware in sbrugna...

EUVD-2008-0147

Malware in sbrugna...

CVE-2025-59742 Multiple vulnerabilities in AndSoft's e-TMS

SQL injection vulnerability in AndSoft's e-TMS v25.03. This vulnerability could allow an attacker to retrieve, create, update, and delete databases by sending a POST request. The relationship between parameter and assigned identifier is a 'USRMAIL' parameter in'/inc/login/TRACKREQUESTFRMSQL.ASP'...

CVE-2024-47047

An issue was discovered in the powermail extension through 12.4.0 for TYPO3. It fails to validate the mail parameter of the createAction, resulting in Insecure Direct Object Reference IDOR in some configurations. An unauthenticated attacker can use this to display user-submitted data of all forms...

Access Control Bypass

Overview Affected versions of this package are vulnerable to Access Control Bypass due to the improper validation of the mail parameter in the createAction process. An unauthenticated attacker can display user-submitted data of all forms persisted by the extension. Note This vulnerability can onl...

TYPO3 安全漏洞

TYPO3 is a free and open source content management system framework CMS/CMF from the Swiss TYPO3 Association. A security vulnerability exists in TYPO3 version 12.4.0 and earlier, which stems from an inability to validate the mail parameter of createAction, resulting in insecure direct object...

PT-2024-31490 · Typo3 · Powermail

Name of the Vulnerable Software and Affected Versions: powermail extension versions prior to 7.5.0 powermail extension versions prior to 8.5.0 powermail extension versions prior to 10.9.0 powermail extension versions prior to 12.4.0 Description: An issue was discovered in the powermail extension...

Cross-Site Scripting (XSS)

thorsten/phpmyfaq is vulnerable to Cross-Site Scripting XSS. The vulnerability exists in record.questions.php due to lack of sanitization of the user inputs of mail parameter which allows an attacker to inject and execute arbitrary javascript...

phpMyFAQ 跨站脚本漏洞

phpMyFAQ is a multi-language, fully database-driven FAQ system from the individual developer Thorsten Rinne. A cross-site scripting vulnerability exists in versions prior to phpMyFAQ 3.1.13, which stems from a stored XSS vulnerability in PhpMyFaq where the mail parameter accepts unfiltered user...

Multiple Stored XSS via mail parameter

Description In PhpMyFaq, while submitting a question, the mail parameter is accepting unsanitized user input which leads to Stored XSS vulnerability, executing on Admin Panel /admin/?action=question. Proof of Concept 1. Go to https://roy.demo.phpmyfaq.de/index.php?action=ask&categoryid=0 1. Fill ...

SourceCodester Doctor Appointment System SQL注入漏洞

SourceCodester Doctor Appointment System is an application from SourceCodester USA. It provides an appointment scheduling feature. A SQL injection vulnerability exists in SourceCodester Doctors Appointment System version 1.0, which originates from an unknown function in the file /admin/edit-doc.p...

SUSE CVE-2006-1015

Argument injection vulnerability in certain PHP 3.x, 4.x, and 5.x applications, when used with sendmail and when accepting remote input for the additionalparameters argument to the mail function, allows remote attackers to read and create arbitrary files via the sendmail -C and -X arguments. NOTE...

CVE-2022-45990

A cross-site scripting XSS vulnerability in the component /signupscript.php of Ecommerce-Website v1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the eMail parameter...