Home > Vulnerability Database > CVE-2022-4166

Mend.io Vulnerability Database

CVE-2022-4166

Date: December 26, 2022

The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape the addCountS POST parameter before concatenating it to an SQL query in 4_activate.php. This may allow malicious users with at least author privilege to leak sensitive information from the site's database.

Language: PHP

Severity Score

6.5

Related Resources (4)

Url: https://wpscan.com/vulnerability/6e7de2bb-5f71-4c27-ae79-4f6b2ba7f86f

Url: https://bulletin.iese.de/post/contest-gallery_19-1-4-1_12

Url: https://nvd.nist.gov/vuln/detail/CVE-2022-4166

Url: https://www.mend.io/vulnerability-database/CVE-2022-4166

Severity Score

6.5

Weakness Type (CWE)

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

CWE-89

CVSS v3.1

Base Score:	6.5
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	LOW
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	NONE
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2022-4166

Date: December 26, 2022

Language: PHP

Severity Score

Related Resources (4)

Severity Score

Weakness Type (CWE)

CVSS v3.1

Do you need more information?