Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-12165

CVE-2026-12165: Contest Gallery Plugin Privilege Escalation

CVE-2026-12165 is a privilege escalation vulnerability in the Contest Gallery WordPress plugin that allows attackers to gain administrator access. This article covers technical details, affected versions, impact, and mitigation.

Published:

CVE-2026-12165 Overview

CVE-2026-12165 is a privilege escalation vulnerability [CWE-269] in the Contest Gallery – Upload & Vote Photos, Media, Sell with PayPal & Stripe plugin for WordPress. The flaw affects all versions up to and including 30.0.2. Authenticated attackers with author-level access can overwrite the plugin's RegistryUserRole option with administrator. When a new Google sign-in account is created through cg_create_wp_user_from_google_user, the stored role value is passed directly to wp_update_user(), promoting the new account to Administrator.

Critical Impact

Authenticated attackers with author-level privileges can promote attacker-controlled Google sign-in accounts to Administrator, leading to full WordPress site takeover.

Affected Products

  • Contest Gallery – Upload & Vote Photos, Media, Sell with PayPal & Stripe plugin for WordPress
  • All versions up to and including 30.0.2
  • WordPress sites with Google sign-in enabled through the plugin

Discovery Timeline

  • 2026-06-17 - CVE-2026-12165 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2026-12165

Vulnerability Analysis

The vulnerability resides in the plugin's option-saving handler in change-options-and-sizes.php. The plugin registers its admin menu at the edit_posts capability level, granting Contributor-level users access to plugin admin pages and a valid cg_admin nonce. The option-saving handler performs only check_admin_referer('cg_admin') and omits any current_user_can() capability check.

The RegistryUserRole parameter is processed through sanitize_text_field() and htmlentities() without validation against an allowlist of permitted role names. An authenticated attacker with author-level access can submit a request that overwrites the stored RegistryUserRole value with administrator.

Later, the cg_create_wp_user_from_google_user function reads the role value back from the contest_gal1ery_registry_and_login_options database table and passes it directly to wp_update_user(). The next Google sign-in registration then yields an Administrator account under attacker control.

Root Cause

The root cause combines a missing authorization check with absent input validation. The handler relies solely on nonce verification while granting menu access at edit_posts, and the role string is never restricted to an allowlist before being persisted and applied to a new user.

Attack Vector

Exploitation requires an authenticated account with at least author-level privileges. The attacker submits a crafted POST request to the plugin's option-saving endpoint with RegistryUserRole=administrator. After the option is persisted, any subsequent Google sign-in registration creates a WordPress Administrator account.

The vulnerability mechanism is described in prose only — see the Wordfence Vulnerability Report and WordPress Plugin Admin Options Code for line-level references.

Detection Methods for CVE-2026-12165

Indicators of Compromise

  • Unexpected administrator value stored in the RegistryUserRole field of the contest_gal1ery_registry_and_login_options database table.
  • New WordPress users created through Google sign-in that hold the administrator role without prior approval.
  • Author or Contributor accounts issuing POST requests to plugin admin endpoints handled by change-options-and-sizes.php.

Detection Strategies

  • Audit the wp_usermeta table for accounts whose wp_capabilities was elevated to administrator shortly after a Google OAuth callback request in access logs.
  • Inspect web server logs for POST requests to plugin admin pages originating from non-administrator session cookies.
  • Compare the current RegistryUserRole value against the expected default (subscriber or similar) on a recurring schedule.

Monitoring Recommendations

  • Alert on any modification to the contest_gal1ery_registry_and_login_options option row.
  • Monitor for wp_update_user() calls that change a user's role to administrator outside of normal admin workflows.
  • Track creation of new administrator accounts and correlate with Google sign-in events.

How to Mitigate CVE-2026-12165

Immediate Actions Required

  • Update the Contest Gallery plugin to a version newer than 30.0.2 once a patched release is available.
  • Review all WordPress administrator accounts and remove any created through Google sign-in that cannot be verified.
  • Reset credentials for any Author or Contributor accounts suspected of abuse and rotate plugin secrets.
  • Inspect the RegistryUserRole option value and restore it to a non-privileged role such as subscriber.

Patch Information

Refer to the WordPress Plugin Changeset and the Wordfence Vulnerability Report for vendor remediation details. Apply the fixed plugin release as soon as it is published.

Workarounds

  • Disable the Contest Gallery plugin until a patched version is installed.
  • Disable the Google sign-in registration feature within the plugin to prevent the privileged user-creation path from executing.
  • Restrict Author and Contributor account creation and require manual approval for new WordPress users.
  • Place WordPress admin endpoints behind a web application firewall rule that blocks requests carrying RegistryUserRole=administrator.

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne