Description
Authentication Bypass Using an Alternate Path or Channel vulnerability in Wasiliy Strecker / ContestGallery developer Contest Gallery contest-gallery allows Authentication Abuse.This issue affects Contest Gallery: from n/a through <= 28.1.2.2.
Published: 2026-03-25
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Account takeover
Action: Immediate Patch
AI Analysis

Impact

The reported vulnerability allows an attacker to bypass authentication by exploiting an alternate path or channel within the Contest Gallery plugin. This authentication bypass can be used to gain unauthorized access to any user account, including administrative accounts, thereby giving the attacker full control over the WordPress site’s content, configuration, and potentially sensitive user data.

Affected Systems

This issue affects the Contest Gallery WordPress plugin, developed by Wasiliy Strecker / Contest Gallery. All releases up to and including version 28.1.2.2 are vulnerable, with the problem present in every release prior to the unavailable baseline

Risk and Exploitability

The CVSS score of 9.8 indicates a critical severity, yet the EPSS score of less than 1% suggests that the likelihood of active exploitation is currently low. The vulnerability is not listed in CISA’s KEV catalog, implying no known mass exploitation at this time. The attack vector is remote, requiring only access to the contested plugin’s alternate authentication channel, which an attacker can target through a website’s exposed endpoints. No special privileges or local conditions are required to exploit this flaw.

Generated by OpenCVE AI on March 26, 2026 at 19:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Contest Gallery plugin to a version newer than 28.1.2.2 to remove the authentication bypass flaw
  • If an upgrade is not immediately possible, deactivate or remove the Contest Gallery plugin from the site to eliminate the attack surface
  • Deploy monitoring or logging mechanisms to detect unauthorized login attempts or account takeovers
  • Apply general WordPress security best practices, including limiting login attempts and using strong, unique passwords for all accounts

Generated by OpenCVE AI on March 26, 2026 at 19:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Wasiliy Strecker / Contestgallery Developer
Wasiliy Strecker / Contestgallery Developer contest Gallery
Wordpress
Wordpress wordpress
Vendors & Products Wasiliy Strecker / Contestgallery Developer
Wasiliy Strecker / Contestgallery Developer contest Gallery
Wordpress
Wordpress wordpress

Wed, 25 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
Description Authentication Bypass Using an Alternate Path or Channel vulnerability in Wasiliy Strecker / ContestGallery developer Contest Gallery contest-gallery allows Authentication Abuse.This issue affects Contest Gallery: from n/a through <= 28.1.2.2.
Title WordPress Contest Gallery plugin <= 28.1.2.2 - Account Takeover vulnerability
Weaknesses CWE-288
References

Subscriptions

Wasiliy Strecker / Contestgallery Developer Contest Gallery
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-23T14:14:08.647Z

Reserved: 2026-01-28T09:52:08.058Z

Link: CVE-2026-25035

cve-icon Vulnrichment

Updated: 2026-03-26T17:34:46.583Z

cve-icon NVD

Status : Deferred

Published: 2026-03-25T17:16:43.377

Modified: 2026-04-24T16:32:53.997

Link: CVE-2026-25035

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:46:05Z

Weaknesses