HomeIntelligenceBrief
VULNERABILITY BRIEF🟠 High Vulnerability

Unauthenticated Blind SQL Injection (CVE‑2026‑3180) in WordPress Contest Gallery Plugin Affects Sites Running ≤ 28.1.4

A blind SQL injection (CVE‑2026‑3180) was found in the Contest Gallery WordPress plugin versions ≤ 28.1.4, allowing unauthenticated attackers to query the site database. The flaw impacts any organization that relies on the plugin, raising immediate third‑party risk concerns.

LiveThreat™ Intelligence · 📅 June 05, 2026· 📰 exploit-db.com
🟠
Severity
High
VU
Type
Vulnerability
🎯
Confidence
High
🏢
Affected
2 sector(s)
Actions
4 recommended
📰
Source
exploit-db.com

Unauthenticated Blind SQL Injection (CVE‑2026‑3180) in WordPress Contest Gallery Plugin Affects Sites Running ≤ 28.1.4

What Happened – A Boolean‑based blind SQL injection (SQLi) was discovered in the Contest Gallery WordPress plugin (versions ≤ 28.1.4). The flaw resides in the cgl_mail parameter, where sanitize_email() fails to strip a single‑quote in the local part of an email address, allowing unauthenticated attackers to inject arbitrary SQL via the wpdb->get_row() call.

Why It Matters for TPRM

  • The vulnerability can be exploited without credentials, giving threat actors a low‑bar entry point into any site that uses the plugin.
  • Successful exploitation may lead to data extraction from the WordPress database (e.g., user accounts, site configuration, or uploaded content).
  • The plugin is widely adopted across agencies, SaaS portals, and e‑commerce sites, expanding the potential attack surface for third‑party risk programs.

Who Is Affected

  • Industries: Technology / SaaS, Media & Publishing, E‑commerce, Government portals, Education sites that run WordPress with the Contest Gallery plugin.
  • Vendor type: WordPress plugin / CMS add‑on (classified as OTHER in our taxonomy).

Recommended Actions

  • Inventory all WordPress installations and verify whether Contest Gallery ≤ 28.1.4 is present.
  • Immediately upgrade to the latest patched version (≥ 28.1.5) or remove the plugin if not required.
  • Apply Web Application Firewall (WAF) rules to block suspicious admin‑ajax.php requests containing SQL meta‑characters.
  • Conduct a database audit for anomalous queries or unexpected data changes.

Technical Notes

  • Attack vector: Unauthenticated HTTP POST to admin‑ajax.php with crafted cgl_mail value.
  • CVE: CVE‑2026‑3180 (Blind SQLi).
  • Exploitation: Boolean‑based blind technique; attacker can infer true/false responses to enumerate data.
  • Data at risk: WordPress tables (wp_contest_gallery_*), user‑generated content, potentially full site database.
  • Mitigation: Use prepared statements ($wpdb->prepare()), enforce stricter email sanitisation, and rotate any compromised credentials.

Source: Exploit‑DB #52609

📰 Original Source
https://www.exploit-db.com/exploits/52609

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

Monitor Your Vendor Risk with LiveThreat™

Get automated breach alerts, security scorecards, and intelligence briefs when your vendors are compromised.

Start Free Trial → Learn About Scorecards
← All Intelligence Briefs Breach Watch Feed →