CVE-2021-24915
CRITICAL EXPLOITED NUCLEIContest Gallery WordPress <13.1.0.6 - SQL Injection
Title source: llmExploitation Summary
CVE-2021-24915 has been observed exploited in the wild (reported by VulnCheck KEV). A Nuclei detection template is also available.
Description
The Contest Gallery WordPress plugin before 13.1.0.6 does not have capability checks and does not sanitise or escape the cg-search-user-name-original parameter before using it in a SQL statement when exporting users from a gallery, which could allow unauthenticated to perform SQL injections attacks, as well as get the list of all users registered on the blog, including their username and email address
Nuclei Templates (1)
Contest Gallery < 13.1.0.6 - SQL injection
CRITICALVERIFIEDby r3Y3r53
Shodan:
http.html:/wp-content/plugins/contest-gallery/
FOFA:
body=/wp-content/plugins/contest-gallery/
References (2)
Core 2
Core References
Exploit, Third Party Advisory x_refsource_misc
https://wpscan.com/vulnerability/45ee86a7-1497-4c81-98b8-9a8e5b3d4fac
Exploit, Third Party Advisory x_refsource_misc
https://gist.github.com/tpmiller87/6c05596fe27dd6f69f1aaba4cbb9c917
Scores
CVSS v3
9.8
EPSS
0.1270
EPSS Percentile
95.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
VulnCheck KEV
2026-03-10
CWE
CWE-89
Status
published
Products (1)
contest_gallery/contest_gallery
< 13.1.0.6
Published
Nov 29, 2021
Tracked Since
Feb 18, 2026