{"api_version":"1","generated_at":"2026-06-25T15:02:23+00:00","cve":"CVE-2026-12165","urls":{"html":"https://cve.report/CVE-2026-12165","api":"https://cve.report/api/cve/CVE-2026-12165.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-12165","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-12165"},"summary":{"title":"Contest Gallery <= 30.0.2 - Authenticated (Author+) Privilege Escalation via 'RegistryUserRole' Parameter","description":"The Contest Gallery – Upload & Vote Photos, Media, Sell with PayPal & Stripe plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 30.0.2 via the `RegistryUserRole` parameter. This is due to the plugin's admin menu being registered at the `edit_posts` capability level — granting Contributor-level users access to the plugin's admin pages and a valid `cg_admin` nonce — while the option-saving handler in `change-options-and-sizes.php` performs no `current_user_can()` capability check beyond `check_admin_referer('cg_admin')`, and the `RegistryUserRole` value is processed only through `sanitize_text_field()` and `htmlentities()` without restriction to an allowlist of permitted role names. This makes it possible for authenticated attackers, with author-level access and above, to overwrite the plugin's stored `RegistryUserRole` option with `administrator`, which the `cg_create_wp_user_from_google_user` function then reads back from the `contest_gal1ery_registry_and_login_options` database table without any allowlist validation and passes directly to `wp_update_user()`, effectively promoting a newly registered Google sign-in account to Administrator.","state":"PUBLISHED","assigner":"Wordfence","published_at":"2026-06-17 13:19:57","updated_at":"2026-06-17 14:44:26"},"problem_types":["CWE-269","CWE-269 CWE-269 Improper Privilege Management"],"metrics":[{"version":"3.1","source":"security@wordfence.com","type":"Primary","score":"8.8","severity":"HIGH","vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":8.8,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"}},{"version":"3.1","source":"CNA","type":"DECLARED","score":"8.8","severity":"HIGH","vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","data":{"baseScore":8.8,"baseSeverity":"HIGH","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","version":"3.1"}}],"references":[{"url":"https://plugins.trac.wordpress.org/browser/contest-gallery/tags/30.0.2/functions/google/cg-create-wp-user-from-google-user.php#L169","name":"https://plugins.trac.wordpress.org/browser/contest-gallery/tags/30.0.2/functions/google/cg-create-wp-user-from-google-user.php#L169","refsource":"security@wordfence.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://plugins.trac.wordpress.org/browser/contest-gallery/tags/30.0.2/index.php#L407","name":"https://plugins.trac.wordpress.org/browser/contest-gallery/tags/30.0.2/index.php#L407","refsource":"security@wordfence.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://plugins.trac.wordpress.org/browser/contest-gallery/tags/30.0.2/v10/v10-admin/options/change-options-and-sizes.php#L1242","name":"https://plugins.trac.wordpress.org/browser/contest-gallery/tags/30.0.2/v10/v10-admin/options/change-options-and-sizes.php#L1242","refsource":"security@wordfence.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.wordfence.com/threat-intel/vulnerabilities/id/69b909da-b1b0-4dab-916c-908511f6556f?source=cve","name":"https://www.wordfence.com/threat-intel/vulnerabilities/id/69b909da-b1b0-4dab-916c-908511f6556f?source=cve","refsource":"security@wordfence.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3571733%40contest-gallery&new=3571733%40contest-gallery&sfp_email=&sfph_mail=","name":"https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3571733%40contest-gallery&new=3571733%40contest-gallery&sfp_email=&sfph_mail=","refsource":"security@wordfence.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://plugins.trac.wordpress.org/browser/contest-gallery/tags/30.0.2/v10/v10-admin/options/change-options-and-sizes.php#L16","name":"https://plugins.trac.wordpress.org/browser/contest-gallery/tags/30.0.2/v10/v10-admin/options/change-options-and-sizes.php#L16","refsource":"security@wordfence.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-12165","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-12165","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"contest-gallery","product":"Contest Gallery – Upload & Vote Photos, Media, Sell with PayPal & Stripe","version":"affected 30.0.2 semver","platforms":[]}],"timeline":[{"source":"CNA","time":"2026-06-12T19:49:28.000Z","lang":"en","value":"Vendor Notified"},{"source":"CNA","time":"2026-06-16T20:57:12.000Z","lang":"en","value":"Disclosed"}],"solutions":[],"workarounds":[],"exploits":[],"credits":[{"source":"CNA","value":"Chloe Chamberland","lang":"en"},{"source":"CNA","value":"PRISM","lang":"en"}],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":{"cve_year":"2026","cve_id":"12165","cve":"CVE-2026-12165","epss":"0.004080000","percentile":"0.324310000","score_date":"2026-06-23","updated_at":"2026-06-24 00:09:26"},"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"metrics":[{"other":{"content":{"id":"CVE-2026-12165","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"total"}],"role":"CISA Coordinator","timestamp":"2026-06-17T10:38:33.394545Z","version":"2.0.3"},"type":"ssvc"}}],"providerMetadata":{"dateUpdated":"2026-06-17T10:38:40.424Z","orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP"},"title":"CISA ADP Vulnrichment"}],"cna":{"affected":[{"defaultStatus":"unaffected","product":"Contest Gallery – Upload & Vote Photos, Media, Sell with PayPal & Stripe","vendor":"contest-gallery","versions":[{"lessThanOrEqual":"30.0.2","status":"affected","version":"0","versionType":"semver"}]}],"credits":[{"lang":"en","type":"finder","value":"Chloe Chamberland"},{"lang":"en","type":"finder","value":"PRISM"}],"descriptions":[{"lang":"en","value":"The Contest Gallery – Upload & Vote Photos, Media, Sell with PayPal & Stripe plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 30.0.2 via the `RegistryUserRole` parameter. This is due to the plugin's admin menu being registered at the `edit_posts` capability level — granting Contributor-level users access to the plugin's admin pages and a valid `cg_admin` nonce — while the option-saving handler in `change-options-and-sizes.php` performs no `current_user_can()` capability check beyond `check_admin_referer('cg_admin')`, and the `RegistryUserRole` value is processed only through `sanitize_text_field()` and `htmlentities()` without restriction to an allowlist of permitted role names. This makes it possible for authenticated attackers, with author-level access and above, to overwrite the plugin's stored `RegistryUserRole` option with `administrator`, which the `cg_create_wp_user_from_google_user` function then reads back from the `contest_gal1ery_registry_and_login_options` database table without any allowlist validation and passes directly to `wp_update_user()`, effectively promoting a newly registered Google sign-in account to Administrator."}],"metrics":[{"cvssV3_1":{"baseScore":8.8,"baseSeverity":"HIGH","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","version":"3.1"}}],"problemTypes":[{"descriptions":[{"cweId":"CWE-269","description":"CWE-269 Improper Privilege Management","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-06-17T09:30:59.218Z","orgId":"b15e7b5b-3da4-40ae-a43c-f7aa60e62599","shortName":"Wordfence"},"references":[{"url":"https://www.wordfence.com/threat-intel/vulnerabilities/id/69b909da-b1b0-4dab-916c-908511f6556f?source=cve"},{"url":"https://plugins.trac.wordpress.org/browser/contest-gallery/tags/30.0.2/v10/v10-admin/options/change-options-and-sizes.php#L1242"},{"url":"https://plugins.trac.wordpress.org/browser/contest-gallery/tags/30.0.2/functions/google/cg-create-wp-user-from-google-user.php#L169"},{"url":"https://plugins.trac.wordpress.org/browser/contest-gallery/tags/30.0.2/v10/v10-admin/options/change-options-and-sizes.php#L16"},{"url":"https://plugins.trac.wordpress.org/browser/contest-gallery/tags/30.0.2/index.php#L407"},{"url":"https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3571733%40contest-gallery&new=3571733%40contest-gallery&sfp_email=&sfph_mail="}],"timeline":[{"lang":"en","time":"2026-06-12T19:49:28.000Z","value":"Vendor Notified"},{"lang":"en","time":"2026-06-16T20:57:12.000Z","value":"Disclosed"}],"title":"Contest Gallery <= 30.0.2 - Authenticated (Author+) Privilege Escalation via 'RegistryUserRole' Parameter"}},"cveMetadata":{"assignerOrgId":"b15e7b5b-3da4-40ae-a43c-f7aa60e62599","assignerShortName":"Wordfence","cveId":"CVE-2026-12165","datePublished":"2026-06-17T09:30:59.218Z","dateReserved":"2026-06-12T19:34:12.938Z","dateUpdated":"2026-06-17T10:38:40.424Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-06-17 13:19:57","lastModifiedDate":"2026-06-17 14:44:26","problem_types":["CWE-269","CWE-269 CWE-269 Improper Privilege Management"],"metrics":{"cvssMetricV31":[{"source":"security@wordfence.com","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":8.8,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":2.8,"impactScore":5.9}],"ssvcV203":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","ssvcData":{"timestamp":"2026-06-17T10:38:33.394545Z","id":"CVE-2026-12165","options":[{"exploitation":"none"},{"automatable":"no"},{"technicalImpact":"total"}],"role":"CISA Coordinator","version":"2.0.3"}}]},"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"12165","Ordinal":"1","Title":"Contest Gallery <= 30.0.2 - Authenticated (Author+) Privilege Es","CVE":"CVE-2026-12165","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"12165","Ordinal":"1","NoteData":"The Contest Gallery – Upload & Vote Photos, Media, Sell with PayPal & Stripe plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 30.0.2 via the `RegistryUserRole` parameter. This is due to the plugin's admin menu being registered at the `edit_posts` capability level — granting Contributor-level users access to the plugin's admin pages and a valid `cg_admin` nonce — while the option-saving handler in `change-options-and-sizes.php` performs no `current_user_can()` capability check beyond `check_admin_referer('cg_admin')`, and the `RegistryUserRole` value is processed only through `sanitize_text_field()` and `htmlentities()` without restriction to an allowlist of permitted role names. This makes it possible for authenticated attackers, with author-level access and above, to overwrite the plugin's stored `RegistryUserRole` option with `administrator`, which the `cg_create_wp_user_from_google_user` function then reads back from the `contest_gal1ery_registry_and_login_options` database table without any allowlist validation and passes directly to `wp_update_user()`, effectively promoting a newly registered Google sign-in account to Administrator.","Type":"Description","Title":"Contest Gallery <= 30.0.2 - Authenticated (Author+) Privilege Es"}]}}}