CVE-2022-4152: 
WordPress vulnerability analysis and mitigation

The Contest Gallery WordPress plugin before 19.1.5 and Contest Gallery Pro WordPress plugin before 19.1.5 contain a SQL injection vulnerability identified as CVE-2022-4152. The vulnerability was discovered by Kunal Sharma (University of Kaiserslautern) and Daniel Krohmer (Fraunhofer IESE) and was publicly disclosed on December 5, 2022 (WPScan).

The vulnerability exists in the edit-options.php file where the option_id POST parameter is not properly escaped before being concatenated into an SQL query. The vulnerability has been assigned a CVSS v3.1 base score of 6.5 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N. It is classified as a SQL Injection (CWE-89) vulnerability and falls under the OWASP Top 10 category A1: Injection (WPScan, NVD).

This vulnerability allows malicious users with at least author privileges to potentially leak sensitive information from the site's database (NVD).

The vulnerability has been fixed in version 19.1.5 of both Contest Gallery and Contest Gallery Pro WordPress plugins. Users are advised to update to these versions or later to mitigate the vulnerability (WPScan).