CVE-2022-4160: 
WordPress vulnerability analysis and mitigation

The Contest Gallery WordPress plugin and Contest Gallery Pro WordPress plugin before version 19.1.5.1 contain a SQL injection vulnerability. The vulnerability exists because the plugins do not properly escape the cg_copy_id POST parameter before concatenating it to SQL queries in cg-copy-comments.php and cg-copy-rating.php files (WPScan).

The vulnerability is a SQL injection flaw that affects users with author privileges or higher. The issue stems from improper sanitization of the cg_copy_id POST parameter when it is used in SQL queries within the cg-copy-comments.php and cg-copy-rating.php files. The vulnerability has been assigned a CVSS score of 6.5 (Medium) with the vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N, indicating network accessibility with low attack complexity and requiring low privileges (NVD).

A successful exploitation of this vulnerability could allow malicious users with at least author privileges to leak sensitive information from the site's database through SQL injection attacks (WPScan).

The vulnerability has been fixed in version 19.1.5.1 of both Contest Gallery and Contest Gallery Pro WordPress plugins. Users should update to this version or later to mitigate the risk (WPScan).