CVE-2026-12165
HighCVSS 8.8Exploitation Probability (EPSS)
Low risk42th percentile — higher than 42% of all known CVEs
Summary
The Contest Gallery plugin for WordPress is vulnerable to privilege escalation in versions up to and including 30.0.2 via the `RegistryUserRole` parameter. This allows users with author-level access and above to overwrite the `RegistryUserRole` option to `administrator`.
Risk Assessment
Attackers can gain unauthorized access to administrator privileges, posing a serious security threat to the entire site. This could lead to full control of the system by unauthorized individuals.
Recommendation
It is recommended to update the plugin to the latest version to eliminate this vulnerability. Additionally, conducting a user permissions audit and monitoring logs for unauthorized changes is advisable.
Original NVD description (English source)
The Contest Gallery – Upload & Vote Photos, Media, Sell with PayPal & Stripe plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 30.0.2 via the `RegistryUserRole` parameter. This is due to the plugin's admin menu being registered at the `edit_posts` capability level — granting Contributor-level users access to the plugin's admin pages and a valid `cg_admin` nonce — while the option-saving handler in `change-options-and-sizes.php` performs no `current_user_can()` capability check beyond `check_admin_referer('cg_admin')`, and the `RegistryUserRole` value is processed only through `sanitize_text_field()` and `htmlentities()` without restriction to an allowlist of permitted role names. This makes it possible for authenticated attackers, with author-level access and above, to overwrite the plugin's stored `RegistryUserRole` option with `administrator`, which the `cg_create_wp_user_from_google_user` function then reads back from the `contest_gal1ery_registry_and_login_options` database table without any allowlist validation and passes directly to `wp_update_user()`, effectively promoting a newly registered Google sign-in account to Administrator.

