Skip to main content

Contest Gallery CVE-2026-24964

| EUVDEUVD-2026-15576 MEDIUM
Server-Side Request Forgery (SSRF) (CWE-918)
2026-03-25 Patchstack GHSA-4f94-fq23-hch4
6.4
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.4 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

3
EUVD ID Assigned
Mar 25, 2026 - 16:47 euvd
EUVD-2026-15576
Analysis Generated
Mar 25, 2026 - 16:47 vuln.today
CVE Published
Mar 25, 2026 - 16:14 nvd
MEDIUM 6.4

DescriptionCVE.org

Server-Side Request Forgery (SSRF) vulnerability in Wasiliy Strecker / ContestGallery developer Contest Gallery contest-gallery allows Server Side Request Forgery.This issue affects Contest Gallery: from n/a through <= 28.1.2.1.

AnalysisAI

A Server-Side Request Forgery (SSRF) vulnerability exists in Contest Gallery, a WordPress plugin developed by Wasiliy Strecker, affecting versions up to and including 28.1.2.1. This vulnerability allows attackers to abuse the affected application to make unauthorized requests to internal or external systems, potentially leading to information disclosure, internal network reconnaissance, or attacks against backend services. The vulnerability was reported by Patchstack and tracked under EUVD-2026-15576; however, no CVSS score, EPSS data, or confirmed active exploitation status is currently available, limiting the ability to assess immediate severity.

Technical ContextAI

The vulnerability is classified as CWE-918 (Server-Side Request Forgery), a class of flaws where an application processes user-controlled input to construct HTTP requests without proper validation or sanitization. The affected product is Contest Gallery (CPE: cpe:2.3:a:wasiliy_strecker_/_contestgallery_developer:contest_gallery), a WordPress plugin. In SSRF vulnerabilities, an attacker can manipulate the application to make requests on behalf of the server—such as accessing localhost services, internal IP ranges, cloud metadata endpoints (e.g., AWS IMDSv1), or external third-party systems. The root cause in Contest Gallery likely involves insufficient input validation on parameters that control URL fetching, HTTP methods, or request targets, allowing an attacker to bypass intended access controls and interact with restricted resources.

RemediationAI

Immediately upgrade Contest Gallery to a patched version greater than 28.1.2.1 as provided by the developer. Consult the Patchstack database entry (https://patchstack.com/database/Wordpress/Plugin/contest-gallery/) for availability of a patched release and installation instructions. Until a patch is available or can be applied, implement network-level controls to restrict the WordPress server's outbound HTTP/HTTPS requests to only necessary external services, disable any Contest Gallery features that process external URLs if possible, and implement Web Application Firewall (WAF) rules to detect and block SSRF payloads (e.g., requests to 127.0.0.1, 169.254.169.254, or internal IP ranges). Monitor plugin activity and consider temporarily disabling Contest Gallery if it is not essential to operations.

CVE-2021-24915 CRITICAL POC
9.8 Nov 29

The Contest Gallery WordPress plugin before 13.1.0.6 does not have capability checks and does not sanitise or escape the

CVE-2022-4158 HIGH POC
7.5 Dec 26

The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape

CVE-2022-4156 HIGH POC
7.5 Dec 26

The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape

CVE-2022-4166 MEDIUM POC
6.5 Dec 26

The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape

CVE-2022-4165 MEDIUM POC
6.5 Dec 26

The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape

CVE-2022-4164 MEDIUM POC
6.5 Dec 26

The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape

CVE-2022-4163 MEDIUM POC
6.5 Dec 26

The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape

CVE-2022-4162 MEDIUM POC
6.5 Dec 26

The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape

CVE-2022-4161 MEDIUM POC
6.5 Dec 26

The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape

CVE-2022-4160 MEDIUM POC
6.5 Dec 26

The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape

CVE-2022-4159 MEDIUM POC
6.5 Dec 26

The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape

CVE-2022-4153 MEDIUM POC
6.5 Dec 26

The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape

Share

CVE-2026-24964 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy