CVE-2022-4156: 
WordPress vulnerability analysis and mitigation

CVE-2022-4156 affects the Contest Gallery WordPress plugin (both regular and Pro versions) before version 19.1.5.1. The vulnerability was discovered and disclosed in December 2022. The affected plugins fail to properly escape the user_id POST parameter in the ajax-functions-backend.php file, creating a security weakness in WordPress installations using these plugins (WPScan).

The vulnerability is classified as an SQL Injection (SQLI) with a CVSS score of 7.5 (HIGH) according to CVSS v3.1 metrics (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). The issue stems from improper escaping of the user_id POST parameter before its concatenation into an SQL query within the ajax-functions-backend.php file. This vulnerability falls under CWE-89 (SQL Injection) category (NVD).

The vulnerability allows malicious users with at least author privileges to potentially leak sensitive information from the site's database. The successful exploitation could lead to unauthorized access to sensitive data stored in the WordPress database (WPScan).

The vulnerability has been fixed in version 19.1.5.1 of both Contest Gallery and Contest Gallery Pro WordPress plugins. Users are advised to update to this version or later to mitigate the risk (WPScan).