[webapps] WordPress Contest Gallery 28.1.4 - Unauthenticated Blind SQL Injection

Key Points:

• Unauthenticated Blind SQL Injection Vulnerability: A critical vulnerability (CVE-2026-3180) exists in WordPress Contest Gallery version 28.1.4 and earlier, allowing unauthenticated attackers to exploit the cgl_maili parameter for SQL injection.
• Impact Assessment: This vulnerability enables attackers to execute arbitrary SQL queries, potentially leading to unauthorized data access or manipulation in WordPress installations using the affected plugin.
• Recommended Actions: Update to the latest version of Contest Gallery that addresses this vulnerability. Implement input validation and parameterized queries to mitigate SQL injection risks.

Technical Details: The vulnerability arises from improper sanitization of user input in the cgl_maili parameter, which allows attackers to bypass authentication and perform boolean-based blind SQL injection using crafted payloads.

MITRE ATT&CK Techniques:

• T1190 - Exploit Public-Facing Application (Initial Access)
• T1060 - Registry Run Keys / Startup Folder (Persistence)

IOCs Mentioned: None mentioned.