External risk intelligence

Contest Gallery Unauthenticated SQL Injection Vulnerability

CVE advisorySeverity: CRITICAL (CVSS 9.3)

CVE-2026-40771

An unauthenticated SQL injection vulnerability in the Contest Gallery plugin could allow attackers to access or manipulate database information. Because this plugin is often used in internet-facing web applications, it may be reachable by external actors, posing a risk to sensitive data.

4Halo Surface Signal

SQL Injection

External exposure likelihood

Halo Surface Signal score for CVE-2026-40771

This vulnerability affects a WordPress plugin, which is a type of software commonly deployed as an internet-facing web application. Since the plugin functions within a public-facing website, the vulnerable code is typically reachable by anyone with access to the web server, making internet exposure common for this product category.

PCI scan relevance

PCI Relevance for CVE-2026-40771

Yes

CVE-2026-40771 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

This vulnerability is an unauthenticated SQL injection, which is an automatic fail condition for PCI scans. SQL injection can be exploited to gain unauthorized access to sensitive data.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L

Horizon Alert

Summary of the vulnerability and why it matters

This advisory details a critical security vulnerability in a WordPress plugin that could allow unauthorized access to sensitive data. The issue stems from how the plugin handles user input, potentially enabling malicious actors to manipulate database queries.

  • Unauthenticated data access via software flaw.
  • Plugin use is common in web applications.
  • Confirm relevance and assess exposure.

Attack Path

How an attacker could exploit the issue

An attacker could target the Contest Gallery plugin with unauthenticated SQL injection. This vulnerability allows an attacker to send specially crafted SQL queries to the application, potentially leading to unauthorized data access or manipulation.

  • No authentication required for attack.
  • SQL injection via specially crafted queries.
  • Risk of unauthorized data access.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability could allow an unauthenticated attacker to inject malicious SQL commands into the Contest Gallery plugin. When supported by the advisory, this could lead to unauthorized access to or manipulation of the underlying database, potentially exposing sensitive information or disrupting service.

  • Database data at risk.
  • Via unauthenticated network requests.
  • Unauthorized data access or disruption.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

This critical unauthenticated SQL injection vulnerability in Contest Gallery affects internet-facing web applications. Application owners, in coordination with infrastructure and security teams, must prioritize identifying all instances of the affected plugin, assessing business criticality and external reachability, and confirming ownership for remediation planning.

  • Application owners should manage this issue.
  • Verify plugin reachability and business criticality.
  • Plan remediation based on risk assessment.

Frequently asked questions

What is Contest Gallery?

Contest Gallery is a WordPress plugin designed to help website owners create, manage, and display visual contests or photo galleries for their users. It integrates directly into the WordPress ecosystem to handle user-submitted content and media organization, essentially serving as a database-driven tool that organizes entries and participant data within a site's backend and frontend displays.

What does SQL injection mean for CVE-2026-40771?

This vulnerability is classified as CWE-89, or improper neutralization of special elements used in an SQL command. In plain terms, the plugin fails to properly clean user-provided data before passing it to the database. An attacker can exploit this by sending specially crafted inputs that the database interprets as malicious commands, potentially allowing them to view information they are not authorized to see or modify database structures.

How does an attacker trigger this vulnerability?

The flaw is triggered when an attacker sends malicious network requests to the plugin without needing to log in or hold any user account. It is important to note that the vulnerability does not require the attacker to have administrative rights or prior access to the site. If the plugin's code does not perform proper input validation on incoming requests, the injected SQL command will be executed by the database.

Is my website at risk from this vulnerability?

According to Halo Surface Signal, this plugin is typically deployed as an internet-facing web application, meaning the code is reachable by anyone with access to your public website. If your site runs an affected version of Contest Gallery and is accessible over the internet, your instance is likely reachable by an external attacker, increasing the relevance of this security issue for your environment.

What should I do if I use Contest Gallery?

Begin by identifying all WordPress installations within your environment that have the Contest Gallery plugin enabled. Assess the business criticality of those specific sites to prioritize your response. Once identified, coordinate with your technical teams to confirm the current version in use and plan for remediation, ensuring that any necessary security updates or configuration changes are applied promptly to secure your database data.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished