Contest Gallery WordPress Plugin SQL Injection Vulnerability (CVE-2026-8912)

The Contest Gallery plugin for WordPress is susceptible to SQL Injection attacks due to insufficient input sanitization of the ‘form_input’ parameter. This vulnerability affects versions up to and including 28.1.6. The flaw resides within the ‘post_cg_gallery_form_upload’ AJAX action, specifically in the ‘cb’ branch of the included users-upload-check.php file. The ‘$f_input_id’ variable is concatenated without proper quoting into a SQL query (‘SELECT Field_Content FROM … WHERE id = $f_input_id’), creating an injection point. The only protection is a public frontend nonce (‘cg1l_action’ / ‘cg_nonce’) exposed in the page source, which an attacker can easily obtain, bypass and then inject arbitrary SQL queries to extract database information.

Attack Chain

1. Attacker identifies a target WordPress site using Contest Gallery plugin version <= 28.1.6.
2. Attacker retrieves the ‘cg1l_action’ / ‘cg_nonce’ value from the HTML source of a public gallery page on the target site.
3. Attacker crafts a malicious HTTP POST request to the ‘wp-admin/admin-ajax.php’ endpoint, targeting the ‘post_cg_gallery_form_upload’ action.
4. The request includes the ‘action’ parameter set to ‘post_cg_gallery_form_upload’ and the ‘form_input’ parameter containing a SQL injection payload.
5. The server executes the crafted SQL query, which includes the attacker’s injected SQL code, without proper sanitization.
6. The attacker leverages the SQL injection to extract sensitive data, such as user credentials, configuration details, or other confidential information from the WordPress database.
7. The extracted data is returned to the attacker in the HTTP response.
8. Attacker uses the extracted information for further malicious activities, such as unauthorized access, data exfiltration, or lateral movement within the network.

Impact

Successful exploitation of this SQL Injection vulnerability (CVE-2026-8912) allows unauthenticated attackers to directly query the WordPress database. This can lead to the exposure of sensitive data, including user credentials, API keys, and other confidential information stored in the database. The impact can range from data breaches and unauthorized access to complete compromise of the WordPress site and its associated data.

Recommendation

• Apply available updates for the Contest Gallery plugin for WordPress to version greater than 28.1.6 to patch CVE-2026-8912.
• Deploy the Sigma rule Detect CVE-2026-8912 Exploitation — WordPress Contest Gallery SQLi to detect exploitation attempts based on specific URI patterns.
• Monitor web server logs for suspicious POST requests to ‘wp-admin/admin-ajax.php’ with SQL injection attempts in the ‘form_input’ parameter as covered by the Detect CVE-2026-8912 Exploitation — WordPress Contest Gallery SQLi Sigma rule.