CVE-2026-40771

Vulnerability

The Contest Gallery plugin for WordPress versions up to and including 28.1.6 contains an unauthenticated SQL injection vulnerability. The flaw exists in an unspecified input parameter that fails to properly sanitize user-supplied data before incorporating it into SQL queries. No authentication is required to reach the vulnerable code path, making it accessible to any remote attacker [1].

Exploitation

An attacker can exploit this vulnerability by sending specially crafted HTTP requests to the vulnerable endpoint without any prior authentication. The reference indicates that this vulnerability is expected to be used in mass-exploit campaigns targeting thousands of websites, regardless of traffic size or popularity [1]. The exact exploitation steps are not publicly detailed, but typical SQL injection techniques involve injecting malicious SQL payloads into input fields to manipulate database queries.

Impact

Successful exploitation allows an attacker to directly interact with the underlying database, enabling actions such as stealing sensitive information (e.g., user credentials, personal data, and stored content). The CVSS score of 9.3 (Critical) reflects the high potential for data compromise and the ease of exploitation [1].

Mitigation

The vendor has released version 28.1.7 which resolves the vulnerability. Users are strongly advised to update immediately. For those unable to update, Patchstack has issued a mitigation rule to block attacks until the patch is applied. No other workarounds are documented [1].