The Contest Gallery WordPress plugin contains a Cross‑Site Request Forgery vulnerability. An attacker can cause an authenticated user to send a forged HTTP request to the site. Because the request is processed with the victim’s privileges, the attack may trigger unintended actions provided by the plugin, such as modifying or deleting plugin data or settings, if the user has the necessary access rights. The weakness is classified as a classic CSRF attack, identified as CWE‑352.

WordPress sites that have installed the Contest Gallery plugin from version n/a through 28.0.0, developed by Wasiliy Strecker. All installations using any of those versions are affected, regardless of the WordPress core version they are running.

The CVSS score of 4.3 indicates a moderate severity issue, while the EPSS score of less than 1 % shows a very low likelihood of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. The attack vector is a typical CSRF scenario where a malicious website or email induces a logged‑in user to send a forged request to the site. The flaw does not allow privilege escalation or remote code execution, but it can be used to perform plugin‑level actions while the user session is active.