Contest Gallery plugin for WordPress exposes sensitive data

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

7.5

Contest Gallery plugin for WordPress exposes sensitive data

CVE-2026-3180

Summary

The Contest Gallery plugin for WordPress can leak sensitive information from its database if an attacker knows how to exploit it. This means an attacker could potentially access confidential information about your website and users. To stay safe, update the Contest Gallery plugin to version 28.1.5 or later.

Original title

Original description

The Contest Gallery – Upload & Vote Photos, Media, Sell with PayPal & Stripe plugin for WordPress is vulnerable to blind SQL Injection via the ‘cgLostPasswordEmail’ and the ’cgl_mail’ parameter in all versions up to, and including, 28.1.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. The vulnerability's ’cgLostPasswordEmail’ parameter was patched in version 28.1.4, and the ’cgl_mail’ parameter was patched in version 28.1.5.

nvd CVSS3.1 7.5

Vulnerability type

CWE-89 SQL Injection

Published: 2 Mar 2026 · Updated: 13 Mar 2026 · First seen: 6 Mar 2026