CVE-2026-8912: WordPress Contest Gallery Plugin SQLi

May 19, 2026 16:16 /HIGH /CVSS 7.5/10

Written by SCW Vulnerability Desk Vulnerability Intelligence

SCW vulnerabilitycvehigh-severitysql-injectioncwe-89

The National Vulnerability Database has disclosed CVE-2026-8912, a high-severity SQL Injection vulnerability impacting the Contest Gallery plugin for WordPress, versions up to and including 28.1.6. This flaw stems from insufficient input escaping and inadequate preparation of existing SQL queries within the post_cg_gallery_form_upload AJAX action. Specifically, the form_input parameter, when processed in the cb branch of users-upload-check.php, is directly concatenated into a SELECT statement without proper sanitization.

Attackers can exploit this vulnerability without authentication. The required public frontend nonce (cg1l_action / cg_nonce) is readily exposed in the page source of any public gallery. This allows unauthenticated attackers to inject malicious SQL queries, enabling them to extract sensitive information directly from the WordPress database. This is a critical unauthenticated data exfiltration vector.

With a CVSS score of 7.5 (HIGH), this SQLi presents a significant risk. Any WordPress site running the Contest Gallery plugin must prioritize patching. The attacker’s calculus here is simple: find a public gallery page, grab the nonce, and then craft a payload to dump sensitive data. It’s a low-effort, high-reward scenario for them.

What This Means For You

If your organization uses the WordPress Contest Gallery plugin, check your version immediately. Patch to a version beyond 28.1.6. Assume compromise if you were running affected versions, and audit your WordPress database for suspicious activity or unauthorized data access. This is an unauthenticated SQL injection, meaning anyone can exploit it.

title: CVE-2026-8912: WordPress Contest Gallery Plugin SQLi via form_input id: scw-2026-05-19-ai-1 status: experimental level: high description: | Detects SQL Injection attempts against the WordPress Contest Gallery plugin (versions up to 28.1.6) via the 'form_input' parameter in the 'post_cg_gallery_form_upload' AJAX action. The presence of 'action=post_cg_gallery_form_upload', 'form_input=', and 'cb' in the URI query, along with a SQL SELECT statement pattern, indicates a likely exploit attempt targeting CVE-2026-8912. author: SCW Feed Engine (AI-generated) date: 2026-05-19 references: - https://shimiscyberworld.com/posts/nvd-CVE-2026-8912/ tags: - attack.initial_access - attack.t1190 logsource: category: webserver detection: selection: cs-uri|contains: - '/wp-admin/admin-ajax.php' cs-uri-query|contains: - 'action=post_cg_gallery_form_upload' cs-uri-query|contains: - 'form_input=' cs-uri-query|contains: - 'cb' cs-uri-query|contains: - 'SELECT Field_Content FROM' condition: cs-uri AND cs-uri-query falsepositives: - Legitimate administrative activity

ID	Type	Indicator
CVE-2026-8912	SQLi	WordPress Plugin: Contest Gallery <= 28.1.6
CVE-2026-8912	SQLi	Vulnerable Parameter: 'form_input'
CVE-2026-8912	SQLi	Vulnerable AJAX Action: 'post_cg_gallery_form_upload'
CVE-2026-8912	SQLi	Vulnerable File/Branch: users-upload-check.php (cb branch)
CVE-2026-8912	SQLi	CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Type

Indicator

CVE-2026-8912

SQLi

WordPress Plugin: Contest Gallery <= 28.1.6

CVE-2026-8912

SQLi

Vulnerable Parameter: 'form_input'

CVE-2026-8912

SQLi

Vulnerable AJAX Action: 'post_cg_gallery_form_upload'

CVE-2026-8912

SQLi

Vulnerable File/Branch: users-upload-check.php (cb branch)

CVE-2026-8912

SQLi

CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Source Platform	NVD
Channel	National Vulnerability Database
Published	May 19, 2026 at 16:16 UTC

CVE-2026-8912: WordPress Contest Gallery Plugin SQLi

What This Means For You

Related ATT&CK Techniques

🛡️ Detection Rules