Skip to main content

Totalcontest Lite CVE-2026-0677

| EUVD-2026-13657 MEDIUM
Deserialization of Untrusted Data (CWE-502)
2026-03-20 Patchstack
Deserialization Totalcontest Lite
6.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

5
Severity Changed
Jun 10, 2026 - 20:22 NVD
HIGH MEDIUM
CVSS changed
Jun 10, 2026 - 20:22 NVD
7.2 (HIGH) 6.3 (MEDIUM)
EUVD ID Assigned
Mar 20, 2026 - 09:45 euvd
EUVD-2026-13657
Analysis Generated
Mar 20, 2026 - 09:45 vuln.today
CVE Published
Mar 20, 2026 - 09:31 nvd
HIGH 7.2

DescriptionNVD

Deserialization of Untrusted Data vulnerability in TotalSuite TotalContest Lite allows Object Injection.This issue affects TotalContest Lite: from n/a through 2.9.1.

AnalysisAI

This is a deserialization of untrusted data vulnerability (PHP Object Injection) in the TotalContest Lite WordPress plugin that allows authenticated attackers with high-level privileges to inject arbitrary PHP objects. The vulnerability affects all versions through 2.9.1 of the TotalContest Lite plugin from TotalSuite. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate as high-privilege user
Delivery
Submit malicious serialized object
Exploit
Deserialize untrusted data in TotalContest Lite
Execution
Inject arbitrary object
Impact
Execute arbitrary code with application privileges
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Requires authenticated access with high-privilege account to TotalSuite TotalContest Lite versions up to 2.9.1. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS vector CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H indicates this is a network-exploitable vulnerability with low attack complexity but requires high privileges (typically administrator access to the WordPress installation). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has compromised administrator credentials (through phishing, credential stuffing, or insider access) logs into the WordPress admin panel and exploits the deserialization vulnerability by submitting malicious serialized PHP objects through the TotalContest Lite plugin interface. The crafted payload triggers object injection, allowing the attacker to instantiate arbitrary PHP classes and chain magic methods to achieve remote code execution, ultimately gaining full control of the web server and access to the underlying database with all contest and user data.
Remediation Upgrade TotalContest Lite to version 2.9.2 or later if available, as version 2.9.1 is confirmed vulnerable. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Inventory all WordPress installations running TotalContest Lite plugin version 2.9.1 or earlier and restrict administrative access to trusted personnel only. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-0677 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy