CVE-2026-25035 CRITICAL

CVE-2026-25035: WordPress Contest Gallery plugin <= 28.1.2.2 - Account Takeover vulnerability

Vendor Wasiliy Strecker / Contestgallery Developer

Product Contest Gallery

Weakness CWE-288

Published March 25, 2026

Last update April 28, 2026

View on NVD All CVEs

CVSS base score

9.8/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality High

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

Description

Authentication Bypass Using an Alternate Path or Channel vulnerability in Wasiliy Strecker / ContestGallery developer Contest Gallery contest-gallery allows Authentication Abuse.This issue affects Contest Gallery: from n/a through <= 28.1.2.2.

Key dates

Disclosure timeline

March 25, 2026 CVE published

April 28, 2026 Record updated

Identifiers

CVE CVE-2026-25035

CWE CWE-288

CVSS 9.8 / CRITICAL

Affected versions

Vendor Wasiliy Strecker / Contestgallery Developer

Product Contest Gallery

Affected ≤ 28.1.2.2