PatchSiren cyber security CVE debrief
CVE-2026-8912 contest-gallery CVE debrief
CVE-2026-8912 is a high-severity SQL injection issue in the Contest Gallery plugin for WordPress. The vulnerable path is the unauthenticated post_cg_gallery_form_upload AJAX action, where user-controlled form_input data can reach a database query without sufficient escaping or preparation. The issue is reachable with a public frontend nonce that is exposed in the source of public gallery pages, which lowers the barrier for exploitation and increases the likelihood of database disclosure on affected sites.
- Vendor
- contest-gallery
- Product
- Contest Gallery – Upload & Vote Photos, Media, Sell with PayPal & Stripe
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-19
- Original CVE updated
- 2026-05-19
- Advisory published
- 2026-05-19
- Advisory updated
- 2026-05-19
Who should care
WordPress site owners and administrators using the Contest Gallery plugin, managed WordPress hosting providers, application security teams, and incident responders should prioritize this issue. Any site running Contest Gallery versions up to and including 28.1.6 is in scope based on the supplied description.
Technical summary
According to the supplied record, the vulnerability exists in the Contest Gallery plugin's unauthenticated post_cg_gallery_form_upload AJAX action. In the cb branch of included users-upload-check.php, the $f_input_id value derived from the form_input parameter is concatenated unquoted into a SELECT query against Field_Content, creating a CWE-89 SQL injection condition. The attack path is made publicly reachable because the endpoint relies on a frontend nonce (cg1l_action / cg_nonce) that is exposed in the source of public gallery pages. The supplied CVSS vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, which matches a network-reachable, unauthenticated confidentiality-impacting flaw.
Defensive priority
High. The issue is network-reachable, requires no authentication, and is described as allowing sensitive database extraction. Sites exposing the plugin to the internet should treat this as urgent until a fixed release is confirmed and deployed.
Recommended defensive actions
- Inventory WordPress sites for the Contest Gallery plugin and confirm whether any instance is running version 28.1.6 or earlier.
- If a fixed version is available from the vendor, upgrade immediately; otherwise disable or remove the plugin until remediation is confirmed.
- Restrict exposure of affected WordPress instances where practical and monitor for unusual AJAX requests to post_cg_gallery_form_upload.
- Review web and application logs for suspicious activity involving form_input, cg_nonce, cg1l_action, or unexpected SQL-related errors.
- If compromise or database exposure is suspected, assess sensitive data exposure and rotate credentials or secrets as appropriate.
- Track the vendor advisory and official CVE/NVD records for any updated fixed-version information.
Evidence notes
The vulnerability description, CVSS score, and CWE classification are taken from the supplied NVD record for CVE-2026-8912. The affected code paths are supported by the WordPress plugin source references provided in the source item: ajax-functions-frontend.php, cg-general-frontend.php, and users-upload-check.php. The record published time is 2026-05-19T13:16:20.127Z, the modified time is 2026-05-19T14:38:39.660Z, and NVD lists vulnStatus as Deferred. No KEV listing was provided in the supplied corpus.
Official resources
Publicly disclosed in the CVE record on 2026-05-19. The supplied record was modified later the same day, and NVD marked the entry as Deferred. No KEV information was supplied.