CVE-2022-4150: 
WordPress vulnerability analysis and mitigation

The Contest Gallery WordPress plugin before version 19.1.5.1 and Contest Gallery Pro WordPress plugin before version 19.1.5.1 contain a SQL injection vulnerability identified as CVE-2022-4150. The vulnerability was discovered by Kunal Sharma and Daniel Krohmer, and was publicly disclosed on December 5, 2022. This security issue affects the order-custom-fields-with-and-without-search.php file in both plugin versions (WPScan).

The vulnerability stems from improper input validation where the option_id POST parameter is not properly escaped before being concatenated into an SQL query within the order-custom-fields-with-and-without-search.php file. The vulnerability has been assigned a CVSS v3.1 base score of 6.5 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N, indicating network accessibility with low attack complexity and requiring low privileges (NVD).

When exploited, this vulnerability allows malicious users with at least author privileges to potentially leak sensitive information from the site's database. The high confidentiality impact indicated by the CVSS score suggests significant potential for unauthorized access to sensitive data (WPScan).

The vulnerability has been patched in version 19.1.5.1 of both Contest Gallery and Contest Gallery Pro WordPress plugins. Users are advised to update to these versions or later to mitigate the security risk (WPScan).