CVE-2024-30236 – This SQL injection vulnerability in the WordPre... (How to Fix)

Q: What is the severity of CVE-2024-30236?

CVE-2024-30236 has a CVSS score of 8.5 (HIGH). This SQL injection vulnerability in the WordPress Contest Gallery plugin allows attackers to execute arbitrary SQL commands on affected websites. It affects all versions up to 21.3.4, potentially compromising database integrity and exposing sensitive information.

📋 TL;DR

This SQL injection vulnerability in the WordPress Contest Gallery plugin allows attackers to execute arbitrary SQL commands on affected websites. It affects all versions up to 21.3.4, potentially compromising database integrity and exposing sensitive information.

💻 Affected Systems

Products:

WordPress Contest Gallery Plugin

Versions: All versions up to and including 21.3.4

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all WordPress installations with vulnerable plugin versions installed and activated.

📦 What is this software?

Contest Gallery by Contest Gallery

View all CVEs affecting Contest Gallery →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise leading to data theft, data manipulation, or full website takeover via privilege escalation.

🟠

Likely Case

Unauthorized data access including user information, plugin data, and potentially WordPress user credentials.

🟢

If Mitigated

Limited impact with proper input validation and database user permissions restricting damage to the plugin's own tables.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

SQL injection vulnerabilities are commonly weaponized quickly due to available tooling and predictable patterns.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 21.3.5 or later

Vendor Advisory: https://patchstack.com/database/vulnerability/contest-gallery/wordpress-contest-gallery-plugin-21-3-4-sql-injection-vulnerability

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find Contest Gallery plugin. 4. Click 'Update Now' if available. 5. Alternatively, download latest version from WordPress repository and manually update.

🔧 Temporary Workarounds

Disable Plugin

all

Temporarily disable the Contest Gallery plugin until patched

wp plugin deactivate contest-gallery

Web Application Firewall

all

Implement WAF rules to block SQL injection patterns

🧯 If You Can't Patch

Restrict database user permissions to read-only for the plugin's database user
Implement network segmentation to isolate the vulnerable system

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel > Plugins > Contest Gallery version number

Check Version:

wp plugin get contest-gallery --field=version

Verify Fix Applied:

Verify plugin version is 21.3.5 or higher in WordPress admin

📡 Detection & Monitoring

Log Indicators:

Unusual SQL queries in database logs
Multiple failed login attempts from single IP
Unexpected database errors in WordPress logs

Network Indicators:

HTTP requests with SQL syntax in parameters
Unusual traffic patterns to plugin endpoints

SIEM Query:

source="wordpress.log" AND "contest-gallery" AND ("SQL" OR "database error" OR "syntax error")

📊 Metadata

CVE ID: CVE-2024-30236

CVSS v3 Score: 8.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L

CWE: CWE-89

Published: March 28, 2024

Last Updated: April 8, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-30236, you might also want to check these: