CVE-2022-4166

CVSS V2 None CVSS V3 None
Description
The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape the addCountS POST parameter before concatenating it to an SQL query in 4_activate.php. This may allow malicious users with at least author privilege to leak sensitive information from the site's database.
Overview
  • CVE ID
  • CVE-2022-4166
  • Assigner
  • contact@wpscan.com
  • Vulnerability Status
  • Analyzed
  • Published Version
  • 2022-12-26T13:15:13
  • Last Modified Date
  • 2023-01-04T21:55:49
Weakness Enumerations
CWE URL
CWE-89 http://cwe.mitre.org/data/definitions/89.html
CPE Configuration (Product)
CPE Vulnerable Operator Version Start Version End
cpe:2.3:a:contest-gallery:contest_gallery:*:*:*:*:*:wordpress:*:* 1 OR 19.1.5.1
cpe:2.3:a:contest-gallery:contest_gallery:*:*:*:*:pro:wordpress:*:* 1 OR 19.1.5.1
References
Reference URL Reference Tags
https://bulletin.iese.de/post/contest-gallery_19-1-4-1_12
https://wpscan.com/vulnerability/6e7de2bb-5f71-4c27-ae79-4f6b2ba7f86f
Sources
Source Name Source URL
NIST https://nvd.nist.gov/vuln/detail/CVE-2022-4166
MITRE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-4166
History
Created Old Value New Value Data Type Notes
2022-12-26 13:19:08 Added to TrackCVE
2022-12-26 13:19:10 Weakness Enumeration new
2022-12-27 14:16:00 2022-12-27T13:48:11 CVE Modified Date updated
2022-12-27 14:16:00 Received Awaiting Analysis Vulnerability Status updated
2023-01-03 17:14:37 Awaiting Analysis Undergoing Analysis Vulnerability Status updated
2023-01-04 22:17:16 2023-01-04T21:55:49 CVE Modified Date updated
2023-01-04 22:17:16 Undergoing Analysis Analyzed Vulnerability Status updated
2023-01-04 22:17:17 CPE Information updated