CVE-2022-4165: 
WordPress vulnerability analysis and mitigation

CVE-2022-4165 is a SQL injection vulnerability affecting the Contest Gallery WordPress plugin versions below 19.1.5. The vulnerability was discovered by Kunal Sharma (University of Kaiserslautern) and Daniel Krohmer (Fraunhofer IESE) and was publicly disclosed on December 5, 2022. The issue affects both the free version (Contest Gallery) and the pro version (Contest Gallery Pro) of the plugin (WPScan, Wordfence).

The vulnerability stems from improper input validation where the plugin fails to properly escape the cg_order POST parameter before concatenating it to an SQL query in the order-custom-fields-with-and-without-search.php file. The vulnerability has been assigned a CVSS score of 6.8 (medium) and is classified as a CWE-89 type vulnerability, falling under the OWASP Top 10 category A1: Injection (WPScan).

This vulnerability could allow malicious users with author-level privileges or higher to leak sensitive information from the site's database through SQL injection attacks (WPScan).

The vulnerability has been fixed in version 19.1.5 of both Contest Gallery and Contest Gallery Pro plugins. Site administrators are advised to update to this version or later to mitigate the vulnerability (WPScan).