CVE-2026-24964 - Vulnerability Details

- WordPress Contest Gallery plugin <= 28.1.2.1 - Server Side Request Forgery (SSRF) vulnerability

Description

Server-Side Request Forgery (SSRF) vulnerability in Wasiliy Strecker / ContestGallery developer Contest Gallery contest-gallery allows Server Side Request Forgery.This issue affects Contest Gallery: from n/a through <= 28.1.2.1.

Published: 2026-03-25

Score: 6.4 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The Contest Gallery WordPress plugin contains a Server‑Side Request Forgery flaw that allows an attacker to make the plugin issue HTTP requests to arbitrary URLs. This weakness can enable the attacker to reach internal systems or services that should not be exposed to the public, potentially disclosing confidential data or facilitating further attacks. Based on the description, it is inferred that the attacker could use the plugin as a proxy to access otherwise unreachable resources. The flaw is classified as CWE‑918.

Affected Systems

The vulnerability affects the Contest Gallery plugin developed by Wasiliy Strecker. Any WordPress site running versions from the first public release through 28.1.2.1 is potentially impacted. No further sub‑version details are provided, so all releases up to and including 28.1.2.1 should be considered exposed.

Risk and Exploitability

The CVSS score of 6.4 indicates medium severity, and the EPSS score of less than 1% suggests a very low likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog. Attackers would need the ability to trigger the plugin, likely through a specific endpoint, which may require authenticated access or could be exposed publicly; this is inferred from typical SSRF vectors. While the risk is moderate, any exposure to sensitive internal resources should be mitigated promptly.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Wasiliy Strecker / ContestGallery developer

Contest Gallery

unaffected

Version	Status	Constraints
`0`	affected	≤ 28.1.2.1

No data.

Vendor Product Confidence Versions

Wasiliy Strecker / Contestgallery Developer

Contest Gallery

100%

Version	Status	Scheme	Platform
`[0,28.1.2.1]`	affected	generic	—
`28.1.2.2`	unaffected	generic	—

Wordpress

80%

Version	Status	Scheme	Platform
`—`	unaffected	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update Contest Gallery plugin to a version newer than 28.1.2.1
Restrict WordPress server outbound traffic to known external endpoints, blocking unknown requests
Disable or limit the plugin features that trigger SSRF if an update is not available
Monitor plugin activity and review logs for abnormal outbound connections
Ensure internal resources are not reachable from the public internet

Generated by OpenCVE AI on March 26, 2026 at 22:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00032.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://patchstack.com/database/Wordpress/Plugin/contest-gallery/vulnerability/wordpress-contest-gallery-plugin-28-1-2-1-server-side-request-forgery-ssrf-vulnerability?_s_id=cve

History

Thu, 26 Mar 2026 21:15:00 +0000

Type	Values Removed	Values Added
Metrics		cvssV3_1 `{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}` ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Thu, 26 Mar 2026 12:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Wasiliy Strecker / Contestgallery Developer Wasiliy Strecker / Contestgallery Developer contest Gallery Wordpress Wordpress wordpress
Vendors & Products		Wasiliy Strecker / Contestgallery Developer Wasiliy Strecker / Contestgallery Developer contest Gallery Wordpress Wordpress wordpress

Wed, 25 Mar 2026 16:45:00 +0000

Type	Values Removed	Values Added
Description		Server-Side Request Forgery (SSRF) vulnerability in Wasiliy Strecker / ContestGallery developer Contest Gallery contest-gallery allows Server Side Request Forgery.This issue affects Contest Gallery: from n/a through <= 28.1.2.1.
Title		WordPress Contest Gallery plugin <= 28.1.2.1 - Server Side Request Forgery (SSRF) vulnerability
Weaknesses		CWE-918
References		https://patchstack.com/database/Wordpress/Plugin/contest-gallery/vulnerability/wordpress-contest-gallery-plugin-28-1-2-1-server-side-request-forgery-ssrf-vulnerability?_s_id=cve

Subscriptions

Wasiliy Strecker / Contestgallery Developer Contest Gallery

Wordpress Wordpress

MITRE

Status: PUBLISHED

Assigner: Patchstack

Published: 2026-03-25T16:14:33.077Z

Updated: 2026-04-28T16:14:51.965Z

Reserved: 2026-01-28T09:50:35.465Z

Link: CVE-2026-24964

Vulnrichment

Updated: 2026-03-26T20:14:16.115Z

NVD

Status : Deferred

Published: 2026-03-25T17:16:38.523

Modified: 2026-04-24T16:32:53.997

Link: CVE-2026-24964

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-03-27T09:46:24Z

Weaknesses

CWE-918

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object