CVE-2026-4021 HIGH

CVE-2026-4021: Contest Gallery <= 28.1.5 - Unauthenticated Privilege Escalation Admin Account Takeover via Registration Confirmation Email-to-ID Type Confusion

Vendor Contest-Gallery
Product Contest Gallery – Upload & Vote Photos, Media, Sell with PayPal & Stripe
Weakness CWE-287 · Improper authentication
Published March 23, 2026
Last update April 8, 2026

CVSS base score

8.1/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

The Contest Gallery plugin for WordPress is vulnerable to an authentication bypass leading to admin account takeover in all versions up to, and including, 28.1.5. This is due to the email confirmation handler in `users-registry-check-after-email-or-pin-confirmation.php` using the user's email string in a `WHERE ID = %s` clause instead of the numeric user ID, combined with an unauthenticated key-based login endpoint in `ajax-functions-frontend.php`. When the non-default `RegMailOptional=1` setting is enabled, an attacker can register with a crafted email starting with the target user ID (e.g., `1poc@example.test`), trigger the confirmation flow to overwrite the admin's `user_activation_key` via MySQL integer coercion, and then use the `post_cg1l_login_user_by_key` AJAX action to authenticate as the admin without any credentials. This makes it possible for unauthenticated attackers to take over any WordPress administrator account and gain full site control.

Explanation of Vulnerability in Simple Terms

02Summary

Contest Gallery contains an authentication flaw that allows attackers to bypass login controls without valid credentials. The vulnerability affects all versions up to 28.1.5. An attacker can gain unauthorized access to the application's core functions, including the ability to read sensitive data, modify content, and disrupt service. No user interaction is required.

What an attacker can do

03Attacker Capabilities

Bypass authentication and gain full access to the application without valid credentials.

Potential impact on your site

04Site Impact

Attackers can access user data, modify or delete content, and disrupt the gallery and payment functionality.

Conditions required to exploit

05Prerequisites

Network access to the application. No authentication or user interaction required.

Key dates

06Disclosure timeline

March 23, 2026 CVE published
April 8, 2026 Record updated