The Contest Gallery – Upload & Vote Photos, Media, Sell with PayPal & Stripe plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 30.0.2 via the RegistryUserRole parameter. This is due to the plugins admin menu being registered at the edit_posts capability level — granting Contributor-level users access to the plugins admin pages and a valid cg_admin nonce — while the option-saving handler in change-options-and-sizes.php performs no current_user_can() capability check beyond check_admin_referer(cg_admin), and the RegistryUserRole value is processed only through sanitize_text_field() and htmlentities() without restriction to an allowlist of permitted role names. This makes it possible for authenticated attackers, with author-level access and above, to overwrite the plugins stored RegistryUserRole option with administrator, which the cg_create_wp_user_from_google_user function then reads back from the contest_gal1ery_registry_and_login_options database table without any allowlist validation and passes directly to wp_update_user(), effectively promoting a newly registered Google sign-in account to Administrator.
Weakness
The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.
Potential Mitigations
Related Attack Patterns
- https://cwe.mitre.org/data/definitions/122.html
- https://cwe.mitre.org/data/definitions/233.html
- https://cwe.mitre.org/data/definitions/58.html
References
- https://plugins.trac.wordpress.org/browser/contest-gallery/tags/30.0.2/functions/google/cg-create-wp-user-from-google-user.php#L169
- https://plugins.trac.wordpress.org/browser/contest-gallery/tags/30.0.2/index.php#L407
- https://plugins.trac.wordpress.org/browser/contest-gallery/tags/30.0.2/v10/v10-admin/options/change-options-and-sizes.php#L1242
- https://plugins.trac.wordpress.org/browser/contest-gallery/tags/30.0.2/v10/v10-admin/options/change-options-and-sizes.php#L16
- https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3571733%40contest-gallery\u0026new=3571733%40contest-gallery\u0026sfp_email=\u0026sfph_mail=
- https://www.wordfence.com/threat-intel/vulnerabilities/id/69b909da-b1b0-4dab-916c-908511f6556f?source=cve