CVE-2026-8912 Overview
CVE-2026-8912 is an unauthenticated SQL Injection vulnerability in the Contest Gallery plugin for WordPress, affecting all versions up to and including 28.1.6. The flaw resides in the post_cg_gallery_form_upload AJAX action, where the form_input parameter is concatenated unquoted into a SQL query inside users-upload-check.php. The endpoint is protected only by a frontend nonce (cg1l_action / cg_nonce) that is publicly exposed in the page source of any gallery page. Attackers can append additional SQL statements to existing queries and extract sensitive data from the WordPress database without authentication.
Critical Impact
Unauthenticated attackers can extract sensitive database contents, including user credentials and session data, by injecting SQL through a publicly reachable AJAX endpoint.
Affected Products
- WordPress Contest Gallery plugin versions up to and including 28.1.6
- Affected file: v10/v10-frontend/user_upload/users-upload-check.php
- Affected handler: post_cg_gallery_form_upload AJAX action
Discovery Timeline
- 2026-05-19 - CVE-2026-8912 published to NVD
- 2026-05-19 - Last updated in NVD database
Technical Details for CVE-2026-8912
Vulnerability Analysis
The vulnerability is a classic SQL Injection issue [CWE-89] in the Contest Gallery plugin. The unauthenticated AJAX action post_cg_gallery_form_upload routes execution into users-upload-check.php. Within the cb branch, the variable $f_input_id, derived from the user-supplied form_input parameter, is concatenated directly into a SELECT Field_Content FROM ... WHERE id = $f_input_id query. No prepared statement, parameter binding, or type casting is applied before the value reaches the database driver.
The endpoint enforces only a public frontend nonce check using cg1l_action / cg_nonce. Because WordPress nonces are rendered into the HTML of any public gallery page, an attacker can scrape a valid nonce and bypass this gate without authentication. This converts the issue from a low-impact information leak into a reliably exploitable injection point.
Root Cause
The root cause is insufficient escaping of user input combined with missing query preparation. The $f_input_id value is treated as an integer by intent but is never enforced as one, and the surrounding SQL has no quoting. WordPress provides $wpdb->prepare() and absint() for exactly this scenario, but neither is used on this code path.
Attack Vector
An unauthenticated attacker first requests any public gallery page to retrieve the cg_nonce value from the page source. The attacker then issues a POST request to the WordPress admin-ajax.php endpoint, invoking the post_cg_gallery_form_upload action with a crafted form_input payload. The payload appends a UNION SELECT or time-based clause to the existing query, allowing extraction of arbitrary table contents. No user interaction is required, and the attack works over the network against any site running a vulnerable version.
Detection Methods for CVE-2026-8912
Indicators of Compromise
- POST requests to /wp-admin/admin-ajax.php with action=post_cg_gallery_form_upload containing SQL metacharacters in the form_input parameter
- Web server log entries showing UNION, SLEEP(, SELECT, or comment sequences such as -- or # inside form_input values
- Anomalous response times on admin-ajax.php consistent with time-based blind SQL injection probes
- Repeated requests reusing the same cg_nonce value from many source addresses
Detection Strategies
- Inspect WordPress access logs for post_cg_gallery_form_upload requests where form_input is non-numeric or contains URL-encoded SQL syntax
- Deploy Web Application Firewall (WAF) signatures that block SQL keywords and comment markers in the form_input parameter
- Enable MySQL or MariaDB general query logging temporarily to surface malformed SELECT Field_Content FROM ... WHERE id = ... statements
- Correlate elevated admin-ajax.php traffic with the plugin version reported by site inventory tools
Monitoring Recommendations
- Alert on outbound database error responses returned to public clients hitting the Contest Gallery AJAX action
- Track plugin inventory and flag any WordPress instance running Contest Gallery 28.1.6 or earlier
- Monitor for new administrative users or password hash reads following suspicious admin-ajax.php activity
How to Mitigate CVE-2026-8912
Immediate Actions Required
- Update the Contest Gallery plugin to a version newer than 28.1.6 as soon as a fixed release is available from the vendor
- If a patched version is not yet available, deactivate and remove the Contest Gallery plugin from production sites
- Rotate WordPress database credentials and administrator passwords if injection attempts are confirmed in logs
- Review the wp_users and wp_usermeta tables for unauthorized accounts or modified roles
Patch Information
The vulnerability is present through version 28.1.6. Site administrators should consult the Wordfence Vulnerability Intelligence entry and the plugin's WordPress.org repository for the current fixed release. The fix requires casting $f_input_id to an integer or using $wpdb->prepare() with a %d placeholder before executing the SELECT Field_Content query.
Workarounds
- Block requests to /wp-admin/admin-ajax.php where the action parameter equals post_cg_gallery_form_upload at the WAF or reverse proxy layer
- Restrict public access to gallery pages that render the cg_nonce, limiting exposure of valid nonce tokens
- Apply a virtual patch in ModSecurity or equivalent that rejects non-numeric form_input values
# Example ModSecurity rule to block exploitation attempts
SecRule ARGS:action "@streq post_cg_gallery_form_upload" \
"id:1026891,phase:2,deny,status:403,\
chain,msg:'CVE-2026-8912 Contest Gallery SQLi attempt'"
SecRule ARGS:form_input "!@rx ^[0-9]+$"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
