Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Lifecycle Timeline
3DescriptionCVE.org
Server-Side Request Forgery (SSRF) vulnerability in Wasiliy Strecker / ContestGallery developer Contest Gallery contest-gallery allows Server Side Request Forgery.This issue affects Contest Gallery: from n/a through <= 28.1.2.1.
AnalysisAI
A Server-Side Request Forgery (SSRF) vulnerability exists in Contest Gallery, a WordPress plugin developed by Wasiliy Strecker, affecting versions up to and including 28.1.2.1. This vulnerability allows attackers to abuse the affected application to make unauthorized requests to internal or external systems, potentially leading to information disclosure, internal network reconnaissance, or attacks against backend services. The vulnerability was reported by Patchstack and tracked under EUVD-2026-15576; however, no CVSS score, EPSS data, or confirmed active exploitation status is currently available, limiting the ability to assess immediate severity.
Technical ContextAI
The vulnerability is classified as CWE-918 (Server-Side Request Forgery), a class of flaws where an application processes user-controlled input to construct HTTP requests without proper validation or sanitization. The affected product is Contest Gallery (CPE: cpe:2.3:a:wasiliy_strecker_/_contestgallery_developer:contest_gallery), a WordPress plugin. In SSRF vulnerabilities, an attacker can manipulate the application to make requests on behalf of the server—such as accessing localhost services, internal IP ranges, cloud metadata endpoints (e.g., AWS IMDSv1), or external third-party systems. The root cause in Contest Gallery likely involves insufficient input validation on parameters that control URL fetching, HTTP methods, or request targets, allowing an attacker to bypass intended access controls and interact with restricted resources.
RemediationAI
Immediately upgrade Contest Gallery to a patched version greater than 28.1.2.1 as provided by the developer. Consult the Patchstack database entry (https://patchstack.com/database/Wordpress/Plugin/contest-gallery/) for availability of a patched release and installation instructions. Until a patch is available or can be applied, implement network-level controls to restrict the WordPress server's outbound HTTP/HTTPS requests to only necessary external services, disable any Contest Gallery features that process external URLs if possible, and implement Web Application Firewall (WAF) rules to detect and block SSRF payloads (e.g., requests to 127.0.0.1, 169.254.169.254, or internal IP ranges). Monitor plugin activity and consider temporarily disabling Contest Gallery if it is not essential to operations.
More in Contest Gallery
View allThe Contest Gallery WordPress plugin before 13.1.0.6 does not have capability checks and does not sanitise or escape the
The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape
The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape
The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape
The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape
The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape
The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape
The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape
The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape
The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape
The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape
The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape
Same weakness CWE-918 – Server-Side Request Forgery (SSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-15576
GHSA-4f94-fq23-hch4