HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-12165Published Modified CNA Wordfence

CVE-2026-12165: Contest Gallery <= 30.0.2 - Authenticated (Author+) Privilege Escalation via 'RegistryUserRole' Parameter

The Contest Gallery – Upload & Vote Photos, Media, Sell with PayPal & Stripe plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 30.0.2 via the `RegistryUserRole` parameter. This is due to the plugin's admin menu being registered at the `edit_posts` capability level — granting Contributor-level users access to the plugin's admin pages and a valid `cg_admin` nonce — while the option-saving handler in `change-options-and-sizes.php` performs no `current_user_can()` capability check beyond `check_admin_referer('cg_admin')`, and the `RegistryUserRole` value is processed only through `sanitize_text_field()` and `htmlentities()` without restriction to an allowlist of permitted role names. This makes it possible for authenticated attackers, with author-level access and above, to overwrite the plugin's stored `RegistryUserRole` option with `administrator`, which the `cg_create_wp_user_from_google_user` function then reads back from the `contest_gal1ery_registry_and_login_options` database table without any allowlist validation and passes directly to `wp_update_user()`, effectively promoting a newly registered Google sign-in account to Administrator.

Metrics

CVSS v3.1
8.8
Severity
HIGH
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

A privilege escalation vulnerability affects the Contest Gallery plugin for WordPress in all versions up to and including 30.0.2. Any authenticated user with Author-level access or higher can send a crafted HTTP request over the network to overwrite the plugin's stored user-role setting, requiring no special permissions beyond a valid low-privilege login. Once exploited, any new account registered through the plugin's Google sign-in flow is promoted to WordPress Administrator, giving an attacker full site control. HarborGuard is tracking this advisory and will make a patched-image rebuild available as soon as a fix version is published upstream.

HarborGuard Coverage

Detection

Detection for CVE-2026-12165 is available across every HarborGuard environment: the CVE is ingested from upstream feeds, including Wordfence and the NVD, within minutes of publication and matched against all customer images, including custom-built WordPress images that bundle the Contest Gallery plugin. Any image layer containing a version of the plugin at or below 30.0.2 is flagged automatically.

Available
Triage

HarborGuard scores this CVE at 8.8 HIGH using the published CVSS v3.1 vector and weighs it against each customer environment's compliance policy to determine urgency and routing. Findings are routed to the appropriate team inbox within each customer org based on image ownership and policy configuration.

Available
Patch

Because no fix version has been published upstream for this CVE, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment the Contest Gallery plugin ships a remediated release. For customers who opt into auto-remediation, the rebuild, regression test run, and PR against affected workloads will be triggered automatically at that point.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the WordPress installation's HTTP endpoint over the network to submit the crafted parameter.

  • AuthenticationRequired

    Any low-privilege account at Author level or above is sufficient; no administrative credentials are needed.

  • Victim interactionNot required

    No victim action is needed; the attacker submits the malicious request directly without social engineering.

  • Attack complexityDetail

    The exploit is reliable and condition-free: it requires only a valid nonce obtained through the plugin's standard admin menu, which is accessible to Contributor-level users and above.

Blast Radius

  • Attacker overwrites the plugin's stored RegistryUserRole setting, redirecting all future Google sign-in registrations to receive WordPress Administrator role assignments.
  • Any account created via the plugin's Google sign-in flow after the overwrite gains full WordPress admin access, including the ability to install plugins, modify themes, and read or delete all site content.
  • An attacker controlling an Administrator account can exfiltrate all stored user data, credentials, and site configuration from the WordPress database.
  • Full administrative control allows the attacker to plant backdoors, deface the site, or pivot to the underlying server if further vulnerabilities exist.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix for CVE-2026-12165 exists at this time, affected images are flagged and monitored on every ingest cycle rather than queued for an automated rebuild. While waiting for an upstream patch, customers can apply compensating controls such as network-policy rules that restrict access to WordPress admin endpoints, web-application firewall rules that block requests setting the RegistryUserRole parameter to privileged role names, and role-auditing checks that alert on unexpected administrator account creation. HarborGuard will make a patched-image rebuild available the moment a fixed plugin version is published; for customers with auto-remediation enabled, the rebuild, regression test, and PR against affected workloads will be triggered automatically without manual intervention.

See how HarborGuard automates this
Affected packages
  • contest-gallery / Contest Gallery – Upload & Vote Photos, Media, Sell with PayPal & Stripe
    ≤ 30.0.2
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
References