Description
The Contest Gallery plugin for WordPress is vulnerable to an authentication bypass leading to admin account takeover in all versions up to, and including, 28.1.5. This is due to the email confirmation handler in `users-registry-check-after-email-or-pin-confirmation.php` using the user's email string in a `WHERE ID = %s` clause instead of the numeric user ID, combined with an unauthenticated key-based login endpoint in `ajax-functions-frontend.php`. When the non-default `RegMailOptional=1` setting is enabled, an attacker can register with a crafted email starting with the target user ID (e.g., `1poc@example.test`), trigger the confirmation flow to overwrite the admin's `user_activation_key` via MySQL integer coercion, and then use the `post_cg1l_login_user_by_key` AJAX action to authenticate as the admin without any credentials. This makes it possible for unauthenticated attackers to take over any WordPress administrator account and gain full site control.
Published: 2026-03-23
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Admin Account Takeover
Action: Immediate Patch
AI Analysis

Impact

The Contest Gallery WordPress plugin allows attackers to assume the role of any site administrator without authentication. The vulnerability arises when the email confirmation mechanism uses the email string as a numeric ID in a database query, and a separate AJAX endpoint accepts an activation key for login. By registering a specially crafted email (e.g., one that begins with the target user’s numeric ID) while the optional registration mail flag is enabled, an attacker can trigger a confirmation flow that coerces the integer value and writes a new activation key for the victim admin. The attacker then submits this key to the AJAX login endpoint and authenticates as the admin, gaining full control of the WordPress site. The effect is a complete escalation of privilege that compromises both confidentiality and integrity of site data.

Affected Systems

All installations of Contest Gallery plugin up to and including version 28.1.5 for WordPress sites are impacted. The vulnerability is tied to the specific files users-registry-check-after-email-or-pin-confirmation.php and ajax-functions-frontend.php within the plugin codebase.

Risk and Exploitability

The Security Scorecard assigns a CVSS score of 8.1, indicating high severity, while no EPSS score is available, making it unclear how frequently this bug is exploited in the wild. The flaw is not yet listed in CISA’s Known Exploited Vulnerabilities (KEV) catalog. The known attack path requires an attacker to be able to register a new user on the target site and to have the RegMailOptional setting set to 1; this may limit the prevalence of the vulnerability but still poses a serious risk when the environment is configured for optional registration emails. Once the required conditions are in place, exploitation is straightforward, involving no credentials, a crafted email address, and a single AJAX request.

Generated by OpenCVE AI on March 24, 2026 at 03:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Contest Gallery to version 28.1.6 or later.
  • Disable the RegMailOptional option in the plugin settings (set to 0).
  • Disable or restrict unauthenticated access to the login‑by‑key AJAX endpoint if possible.
  • Verify that existing administrator accounts are no longer accessible via the compromised key mechanism.
  • Monitor site logs for suspicious registration and login activity.

Generated by OpenCVE AI on March 24, 2026 at 03:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 24 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 24 Mar 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Contest-gallery
Contest-gallery contest Gallery – Upload & Vote Photos, Media, Sell With Paypal & Stripe
Wordpress
Wordpress wordpress
Vendors & Products Contest-gallery
Contest-gallery contest Gallery – Upload & Vote Photos, Media, Sell With Paypal & Stripe
Wordpress
Wordpress wordpress

Tue, 24 Mar 2026 02:30:00 +0000

Type Values Removed Values Added
Description The Contest Gallery plugin for WordPress is vulnerable to an authentication bypass leading to admin account takeover in all versions up to, and including, 28.1.5. This is due to the email confirmation handler in `users-registry-check-after-email-or-pin-confirmation.php` using the user's email string in a `WHERE ID = %s` clause instead of the numeric user ID, combined with an unauthenticated key-based login endpoint in `ajax-functions-frontend.php`. When the non-default `RegMailOptional=1` setting is enabled, an attacker can register with a crafted email starting with the target user ID (e.g., `1poc@example.test`), trigger the confirmation flow to overwrite the admin's `user_activation_key` via MySQL integer coercion, and then use the `post_cg1l_login_user_by_key` AJAX action to authenticate as the admin without any credentials. This makes it possible for unauthenticated attackers to take over any WordPress administrator account and gain full site control.
Title Contest Gallery <= 28.1.5 - Unauthenticated Privilege Escalation Admin Account Takeover via Registration Confirmation Email-to-ID Type Confusion
Weaknesses CWE-287
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Contest-gallery Contest Gallery – Upload & Vote Photos, Media, Sell With Paypal & Stripe
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:32:30.381Z

Reserved: 2026-03-11T20:10:49.726Z

Link: CVE-2026-4021

cve-icon Vulnrichment

Updated: 2026-03-24T18:43:39.268Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-24T00:16:31.210

Modified: 2026-03-24T15:53:48.067

Link: CVE-2026-4021

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T20:36:01Z

Weaknesses