{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-8912/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-8912"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Contest Gallery plugin for WordPress"],"_cs_severities":["high"],"_cs_tags":["sql injection","cve-2026-8912","wordpress","plugin vulnerability"],"_cs_type":"advisory","_cs_vendors":["WordPress"],"content_html":"\u003cp\u003eThe Contest Gallery plugin for WordPress is susceptible to SQL Injection attacks due to insufficient input sanitization of the \u0026lsquo;form_input\u0026rsquo; parameter. This vulnerability affects versions up to and including 28.1.6. The flaw resides within the \u0026lsquo;post_cg_gallery_form_upload\u0026rsquo; AJAX action, specifically in the \u0026lsquo;cb\u0026rsquo; branch of the included users-upload-check.php file. The \u0026lsquo;$f_input_id\u0026rsquo; variable is concatenated without proper quoting into a SQL query (\u0026lsquo;SELECT Field_Content FROM \u0026hellip; WHERE id = $f_input_id\u0026rsquo;), creating an injection point. The only protection is a public frontend nonce (\u0026lsquo;cg1l_action\u0026rsquo; / \u0026lsquo;cg_nonce\u0026rsquo;) exposed in the page source, which an attacker can easily obtain, bypass and then inject arbitrary SQL queries to extract database information.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a target WordPress site using Contest Gallery plugin version \u0026lt;= 28.1.6.\u003c/li\u003e\n\u003cli\u003eAttacker retrieves the \u0026lsquo;cg1l_action\u0026rsquo; / \u0026lsquo;cg_nonce\u0026rsquo; value from the HTML source of a public gallery page on the target site.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious HTTP POST request to the \u0026lsquo;wp-admin/admin-ajax.php\u0026rsquo; endpoint, targeting the \u0026lsquo;post_cg_gallery_form_upload\u0026rsquo; action.\u003c/li\u003e\n\u003cli\u003eThe request includes the \u0026lsquo;action\u0026rsquo; parameter set to \u0026lsquo;post_cg_gallery_form_upload\u0026rsquo; and the \u0026lsquo;form_input\u0026rsquo; parameter containing a SQL injection payload.\u003c/li\u003e\n\u003cli\u003eThe server executes the crafted SQL query, which includes the attacker\u0026rsquo;s injected SQL code, without proper sanitization.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the SQL injection to extract sensitive data, such as user credentials, configuration details, or other confidential information from the WordPress database.\u003c/li\u003e\n\u003cli\u003eThe extracted data is returned to the attacker in the HTTP response.\u003c/li\u003e\n\u003cli\u003eAttacker uses the extracted information for further malicious activities, such as unauthorized access, data exfiltration, or lateral movement within the network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this SQL Injection vulnerability (CVE-2026-8912) allows unauthenticated attackers to directly query the WordPress database. This can lead to the exposure of sensitive data, including user credentials, API keys, and other confidential information stored in the database. The impact can range from data breaches and unauthorized access to complete compromise of the WordPress site and its associated data.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply available updates for the Contest Gallery plugin for WordPress to version greater than 28.1.6 to patch CVE-2026-8912.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect CVE-2026-8912 Exploitation — WordPress Contest Gallery SQLi\u003c/code\u003e to detect exploitation attempts based on specific URI patterns.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious POST requests to \u0026lsquo;wp-admin/admin-ajax.php\u0026rsquo; with SQL injection attempts in the \u0026lsquo;form_input\u0026rsquo; parameter as covered by the \u003ccode\u003eDetect CVE-2026-8912 Exploitation — WordPress Contest Gallery SQLi\u003c/code\u003e Sigma rule.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-19T13:17:50Z","date_published":"2026-05-19T13:17:50Z","id":"https://feed.craftedsignal.io/briefs/2026-05-cve-2026-8912-sqli/","summary":"The Contest Gallery plugin for WordPress is vulnerable to SQL Injection via the 'form_input' parameter in versions up to 28.1.6, allowing unauthenticated attackers to extract sensitive information from the database.","title":"Contest Gallery WordPress Plugin SQL Injection Vulnerability (CVE-2026-8912)","url":"https://feed.craftedsignal.io/briefs/2026-05-cve-2026-8912-sqli/"}],"language":"en","title":"CraftedSignal Threat Feed — Cve-2026-8912","version":"https://jsonfeed.org/version/1.1"}