CVE-2021-24915— Contest Gallery < 13.1.0.6 - Missing Access Controls to Unauthenticated SQL injection / Email Address Disclosure

EPSS 83.57% · P99 Updated Feb 25, 2026

Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2021-24915

Vulnerability Information

Have questions about the vulnerability? See if Shenlong's analysis helps!

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title

Contest Gallery < 13.1.0.6 - Missing Access Controls to Unauthenticated SQL injection / Email Address Disclosure

Source: NVD (National Vulnerability Database)

Vulnerability Description

The Contest Gallery WordPress plugin before 13.1.0.6 does not have capability checks and does not sanitise or escape the cg-search-user-name-original parameter before using it in a SQL statement when exporting users from a gallery, which could allow unauthenticated to perform SQL injections attacks, as well as get the list of all users registered on the blog, including their username and email address

Source: NVD (National Vulnerability Database)

CVSS Information

N/A

Source: NVD (National Vulnerability Database)

Vulnerability Type

SQL命令中使用的特殊元素转义处理不恰当(SQL注入)

Source: NVD (National Vulnerability Database)

Vulnerability Title

WordPress SQL注入漏洞

Source: CNNVD (China National Vulnerability Database)

Vulnerability Description

WordPress是WordPress（Wordpress）基金会的一套使用PHP语言开发的博客平台。该平台支持在PHP和MySQL的服务器上架设个人博客网站。 WordPress 的Contest Gallery 插件 13.1.0.6之前版本存在SQL注入漏洞，该漏洞源于插件没有功能检查，在从库中导出用户时，在SQL语句中使用cg search用户名原始参数之前，没有对其进行清理或转义，攻击者可利用该漏洞执行SQL注入攻击，以及获取所有在博客上注册的用户的列表，包括他们的用户名和电子邮件地址。

Source: CNNVD (China National Vulnerability Database)

CVSS Information

N/A

Source: CNNVD (China National Vulnerability Database)

Vulnerability Type

N/A

Source: CNNVD (China National Vulnerability Database)

Shenlong Deep Dive — AI Deep Analysis

10-question deep dive: root cause, exploitation, mitigation, urgency. Read summary free, full version requires login.

Read summary Full analysis (login)

Affected Products

Vendor	Product	Affected Versions	CPE	Subscribe
Unknown	Contest Gallery – Photo Contest Plugin for WordPress	13.1.0.6 ~ 13.1.0.6	-

II. Public POCs for CVE-2021-24915

#	POC Description	Source Link	Shenlong Link
1	The plugin does not have capability checks and does not sanitise or escape the cg-search-user-name-original parameter before using it in a SQL statement when exporting users from a gallery, which could allow unauthenticated to perform SQL injections attacks, as well as get the list of all users registered on the blog, including their username and email address.	https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2021/CVE-2021-24915.yaml	POC Details

AI-Generated POCPremium

No public POC found.

III. Intelligence Information for CVE-2021-24915

请登录查看更多情报信息。

https://gist.github.com/tpmiller87/6c05596fe27dd6f69f1aaba4cbb9c917x_refsource_MISC
https://wpscan.com/vulnerability/45ee86a7-1497-4c81-98b8-9a8e5b3d4facx_refsource_MISC
https://nvd.nist.gov/vuln/detail/CVE-2021-24915

Same Patch Batch · Unknown · 2021-11-29 · 19 CVEs total

CVE-2021-24822		Stylish Cost Calculator < 7.04 - Subscriber+ Unauthorised AJAX Calls to Stored XSS
CVE-2017-20008		myCRED < 1.7.8 - Reflected Cross-Site Scripting
CVE-2021-24745		About Author Box < 1.0.2 - Contributor+ Stored Cross-Site Scripting
CVE-2021-24748		Email Before Download < 6.8 - Admin+ SQL Injection
CVE-2021-24749		URL Shortify < 1.5.1 - Arbitrary Link/Group Deletion via CSRF
CVE-2021-24751		GenerateBlocks < 1.4.0 - Contributor+ Stored Cross-Site Scripting
CVE-2021-24755		myCred < 2.3 - Subscriber+ SQL Injection
CVE-2021-24768		WP RSS Aggregator < 4.19.2 - Admin+ Stored Cross-Site Scripting
CVE-2021-24811		Shop Page WP < 1.2.8 - Admin+ Stored Cross-Site Scripting
CVE-2021-24927		My Calendar < 3.2.18 - Subscriber+ Reflected Cross-Site Scripting
CVE-2021-24842		Bulk Datetime Change < 1.12 - Missing Authorisation
CVE-2021-24860		BSK PDF Manager < 3.1.2 - Admin+ SQL Injection
CVE-2021-24876		Registrations for The Events Calendar < 2.7.5 - Reflected Cross-Site Scripting
CVE-2021-24883		Popup Anything < 2.0.4 - Contributor+ Stored Cross-Site Scripting
CVE-2021-24889		Ninja Forms < 3.6.4 - Admin+ SQL Injection
CVE-2021-24899		Media-Tags <= 3.2.0.2 - Admin+ Stored Cross-Site Scripting
CVE-2021-24908		Check & Log Email < 1.0.4 - Reflected Cross-Site Scripting
CVE-2021-24918		Smash Balloon Social Post Feed < 4.0.1 - Subscriber+ Arbitrary Plugin Settings Update to S

IV. Related Vulnerabilities

Same vendor: Unknown

Same weakness: CWE-89

V. Comments for CVE-2021-24915

No comments yet

Goal Reached Thanks to every supporter — we hit 100%!

CVE-2021-24915— Contest Gallery < 13.1.0.6 - Missing Access Controls to Unauthenticated SQL injection / Email Address Disclosure

I. Basic Information for CVE-2021-24915

Vulnerability Information

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Shenlong Deep Dive — AI Deep Analysis

Affected Products

II. Public POCs for CVE-2021-24915

III. Intelligence Information for CVE-2021-24915

Same Patch Batch · Unknown · 2021-11-29 · 19 CVEs total

IV. Related Vulnerabilities

V. Comments for CVE-2021-24915

Leave a comment