How should operators remediate CVE-2019-5974?

Update to 10.4.5 or newer where that release is compatible with the site.

Vulnerability Report

Plugin High Patch path listed CVE-2019-5974

Contest Gallery – Photo Contest Plugin for WordPress <= 10.4.4 - Cross-Site Request Forgery

Q: What is CVE-2019-5974?

CVE-2019-5974 is tracked as a Cross-Site Request Forgery issue affecting the Plugin Contest Gallery – Upload & Vote Photos, Media, Sell with PayPal & Stripe.

Q: Which Contest Gallery – Upload & Vote Photos, Media, Sell with PayPal & Stripe versions are affected?

The primary affected range is Versions up to 10.4.4.

Cross-site request forgery (CSRF) vulnerability in Contest Gallery versions prior to 10.4.5 allows remote attackers to hijack the authentication of administrators via unspecified vectors.

Quick Answer

CVE-2019-5974 is a high severity with CVSS 8.8 Cross-Site Request Forgery issue affecting the Plugin Contest Gallery – Upload & Vote Photos, Media, Sell with PayPal & Stripe. It affects Versions up to 10.4.4 and is fixed in 10.4.5.

Back to Feed View Plugin Hub Open CVE Reference

Published

Jun 12, 2019

Last Updated

Jan 22, 2024

Slug

contest-gallery

Risk Profile

8.8 CVSS Score

Weakness

Cross-Site Request Forgery (CSRF)

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Researchers

Okazawa Yoshihiro

Operational Summary

What the operator needs to know

Share Email

Patch Status

Patched release is available

Remediation

Update to version 10.4.5, or a newer patched version

Operator Briefing

CVE-2019-5974 is tracked for the Plugin Contest Gallery – Upload & Vote Photos, Media, Sell with PayPal & Stripe as high severity with CVSS 8.8. The affected range is Versions up to 10.4.4. Update Contest Gallery – Upload & Vote Photos, Media, Sell with PayPal & Stripe to 10.4.5 or newer where that version is compatible with the site.

Issue Type

Cross-Site Request Forgery

Primary Fixed Version

10.4.5

Primary Affected Range

Versions up to 10.4.4

Tracking ID

CVE-2019-5974

References

https://www.wordfence.com/threat-intel/vulnerabilities/id/fb4b6d33-82cd-4c41-ba54-dbc7fe5f6ac6?source=api-prod

Detailed Metadata

Software Type	Plugin
Software Slug	contest-gallery View on wordpress.org
CVE	CVE-2019-5974
Patched Versions	10.4.5
Affected Versions	Versions up to 10.4.4

Related CVE Cluster

Related CVEs for Contest Gallery – Upload & Vote Photos, Media, Sell with PayPal & Stripe

These internal links group the same WordPress plugin by CVE, issue type, severity, and patch status so operators and search engines can connect the full vulnerability cluster.

Critical CVE-2024-30238 21.3.2.1 Mar 26, 2024

CVE-2024-30238 Contest Gallery – Upload & Vote Photos, Media, Sell with PayPal & Stripe SQL Injection

Photos and Files Contest Gallery <= 21.3.2 - Authenticated (Contributor+) SQL Injection

Critical CVE-2024-30236 21.3.5 Mar 26, 2024

CVE-2024-30236 Contest Gallery – Upload & Vote Photos, Media, Sell with PayPal & Stripe SQL Injection

Photos and Files Contest Gallery <= 21.3.4 - Authenticated (Contributor+) SQL Injection

Critical CVE-2024-11103 24.0.8 Nov 27, 2024

CVE-2024-11103 Contest Gallery – Upload & Vote Photos, Media, Sell with PayPal & Stripe Privilege Escalation

Contest Gallery <= 24.0.7 - Unauthenticated Arbitrary Password Reset to Privilege Escalation/Account Takeover

Critical CVE-2024-10687 24.0.4 Nov 04, 2024

CVE-2024-10687 Contest Gallery – Upload & Vote Photos, Media, Sell with PayPal & Stripe SQL Injection

Photos, Files, YouTube, Twitter, Instagram, TikTok, Ecommerce Contest Gallery – Upload, Vote, Sell via PayPal, Social Share Buttons <= 24.0.3 - Unauthenticated SQL Injection

Critical CVE-2021-24915 13.1.0.6 Apr 13, 2022

CVE-2021-24915 Contest Gallery – Upload & Vote Photos, Media, Sell with PayPal & Stripe SQL Injection

Contest Gallery – Photo Contest Plugin for WordPress <= 13.1.0.5 - SQL Injection

High CVE-2022-4150 19.1.5.1 Dec 05, 2022

CVE-2022-4150 Contest Gallery – Upload & Vote Photos, Media, Sell with PayPal & Stripe SQL Injection

Contest Gallery (Pro) <= 19.1.5 - SQL Injection via option_id

High CVE-2022-36394 17.0.5 Aug 09, 2022

CVE-2022-36394 Contest Gallery – Upload & Vote Photos, Media, Sell with PayPal & Stripe SQL Injection

Contest Gallery <= 17.0.4 - Authenticated (Author+) SQL Injection

High CVE-2026-4021 28.1.6 Mar 23, 2026

CVE-2026-4021 Contest Gallery – Upload & Vote Photos, Media, Sell with PayPal & Stripe Privilege Escalation

Contest Gallery <= 28.1.5 - Unauthenticated Privilege Escalation Admin Account Takeover via Registration Confirmation Email-to-ID Type Confusion

Licensing Notices

This record contains material that is subject to copyright

DEFIANT

License: Defiant hereby grants you a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare derivative works of, publicly display, publicly perform, sublicense, and distribute this software vulnerability information. Any copy of the software vulnerability information you make for such purposes is authorized provided that you include a hyperlink to this vulnerability record and reproduce Defiant's copyright designation and this license in any such copy. Read more

MITRE

License: CVE Usage: MITRE hereby grants you a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare derivative works of, publicly display, publicly perform, sublicense, and distribute Common Vulnerabilities and Exposures (CVE®). Any copy you make for such purposes is authorized provided that you reproduce MITRE's copyright designation and this license in any such copy. Read more