CVE-2026-12165 HIGH

CVE-2026-12165: Contest Gallery <= 30.0.2 - Authenticated (Author+) Privilege Escalation via 'RegistryUserRole' Parameter

Vendor Contest-Gallery
Product Contest Gallery – Upload & Vote Photos, Media, Sell with PayPal & Stripe
Weakness CWE-269
Published June 17, 2026
Last update June 17, 2026

CVSS base score

8.8/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

The Contest Gallery – Upload & Vote Photos, Media, Sell with PayPal & Stripe plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 30.0.2 via the `RegistryUserRole` parameter. This is due to the plugin's admin menu being registered at the `edit_posts` capability level — granting Contributor-level users access to the plugin's admin pages and a valid `cg_admin` nonce — while the option-saving handler in `change-options-and-sizes.php` performs no `current_user_can()` capability check beyond `check_admin_referer('cg_admin')`, and the `RegistryUserRole` value is processed only through `sanitize_text_field()` and `htmlentities()` without restriction to an allowlist of permitted role names. This makes it possible for authenticated attackers, with author-level access and above, to overwrite the plugin's stored `RegistryUserRole` option with `administrator`, which the `cg_create_wp_user_from_google_user` function then reads back from the `contest_gal1ery_registry_and_login_options` database table without any allowlist validation and passes directly to `wp_update_user()`, effectively promoting a newly registered Google sign-in account to Administrator.

Explanation of Vulnerability in Simple Terms

02Summary

Contest Gallery versions up to 30.0.2 contain a privilege management flaw that allows authenticated users with low-level permissions to gain unauthorized access to sensitive functions. An attacker with a basic user account can read, modify, or delete data without proper authorization checks. This affects confidentiality, integrity, and availability of site content.

What an attacker can do

03Attacker Capabilities

Read, modify, or delete site data and settings without proper authorization.

Potential impact on your site

04Site Impact

Unauthorized users can compromise site data, modify content, or disrupt service availability.

Conditions required to exploit

05Prerequisites

Attacker must have a low-privilege user account on the site; no user interaction required.

Key dates

06Disclosure timeline

June 17, 2026 CVE published