CVE-2022-4150 in Contest Gallery Plugin
Summary
by MITRE • 12/26/2022
The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape the option_id POST parameter before concatenating it to an SQL query in order-custom-fields-with-and-without-search.php. This may allow malicious users with at least author privilege to leak sensitive information from the site's database.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 04/12/2025
The vulnerability identified as CVE-2022-4150 affects the Contest Gallery and Contest Gallery Pro WordPress plugins versions prior to 19.1.5.1, representing a critical SQL injection weakness that undermines database security through improper input handling. This flaw exists within the order-custom-fields-with-and-without-search.php file where the option_id POST parameter is directly incorporated into SQL queries without appropriate sanitization or escaping mechanisms. The vulnerability classification aligns with CWE-89 which specifically addresses SQL injection flaws, where insufficient input validation allows attackers to manipulate database queries through maliciously crafted input parameters.
The technical implementation of this vulnerability occurs when the plugin processes user-supplied data through the option_id parameter, which is typically used to retrieve specific configuration options or custom field data. When an attacker submits a crafted POST request containing malicious SQL payloads within the option_id parameter, the plugin fails to properly escape or sanitize this input before incorporating it into database queries. This lack of input validation creates an environment where attackers can construct SQL statements that bypass normal access controls and potentially extract sensitive information from the database.
The operational impact of this vulnerability extends beyond simple data leakage, as it provides malicious actors with the capability to perform unauthorized database operations that could include data enumeration, modification, or deletion. Attackers with at least author privileges can exploit this weakness to gain unauthorized access to sensitive data including user credentials, personal information, configuration settings, and other database contents that should remain protected. The vulnerability essentially allows for privilege escalation within the context of the WordPress installation, as the attacker can leverage their existing author-level access to perform database operations that would normally require higher privileges.
From a threat modeling perspective, this vulnerability aligns with ATT&CK technique T1213.002 which covers data from information repositories, and represents a significant risk to organizations relying on WordPress platforms for content management. The attack vector requires minimal privileges but can yield substantial data exposure, making it particularly dangerous for environments where WordPress plugins handle sensitive user data or business-critical information. The vulnerability's persistence is enhanced by the fact that it affects widely used plugins that may be deployed across multiple sites, potentially creating widespread impact.
Mitigation strategies for CVE-2022-4150 should prioritize immediate plugin updates to versions 19.1.5.1 or later where the SQL injection vulnerability has been addressed through proper input sanitization. Organizations should also implement additional defensive measures including database query parameterization, input validation at multiple layers, and monitoring for suspicious POST requests containing SQL injection patterns. Network-based intrusion detection systems should be configured to alert on potentially malicious SQL injection attempts, while regular security audits of WordPress installations should include verification of plugin versions and security patches. The vulnerability demonstrates the critical importance of input validation and proper SQL query construction in preventing database exploitation, emphasizing that all user-supplied data must be treated as potentially malicious until properly validated and sanitized.