CVE-2022-4158: 
WordPress vulnerability analysis and mitigation

The Contest Gallery WordPress plugin (versions before 19.1.5.1) and Contest Gallery Pro WordPress plugin (versions before 19.1.5.1) contain an unauthenticated SQL injection vulnerability identified as CVE-2022-4158. The vulnerability was discovered by Kunal Sharma (University of Kaiserslautern) and Daniel Krohmer (Fraunhofer IESE) and was publicly disclosed on December 5, 2022. The vulnerability received a CVSS v3.1 base score of 7.5 (HIGH) (NVD, WPScan).

The vulnerability exists in the users-registry-check-registering-and-login.php file where the cg_Fields POST parameter is not properly escaped before being concatenated into an SQL query. This SQL injection vulnerability is classified as CWE-89 and falls under the OWASP Top 10 category A1: Injection. The vulnerability has a CVSS score of 8.6 (high) according to WPScan's assessment (WPScan).

The vulnerability allows malicious visitors to leak sensitive information from the site's database through SQL injection attacks. Since this is an unauthenticated vulnerability, it can be exploited by any visitor to the website without requiring any prior authentication (WPScan).

The vulnerability has been fixed in version 19.1.5.1 of both Contest Gallery and Contest Gallery Pro WordPress plugins. Users are advised to update to these versions or later to mitigate the vulnerability (WPScan).