Skip to main content

Contest Gallery CVE-2026-25035

| EUVDEUVD-2026-15635 CRITICAL
Authentication Bypass Using an Alternate Path or Channel (CWE-288)
2026-03-25 Patchstack GHSA-4f6x-h73m-pq6f
9.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Re-analysis Queued
Apr 24, 2026 - 16:37 vuln.today
cvss_changed
EUVD ID Assigned
Mar 25, 2026 - 16:47 euvd
EUVD-2026-15635
Analysis Generated
Mar 25, 2026 - 16:47 vuln.today
CVE Published
Mar 25, 2026 - 16:14 nvd
CRITICAL 9.8

DescriptionCVE.org

Authentication Bypass Using an Alternate Path or Channel vulnerability in Wasiliy Strecker / ContestGallery developer Contest Gallery contest-gallery allows Authentication Abuse.This issue affects Contest Gallery: from n/a through <= 28.1.2.2.

AnalysisAI

Contest Gallery through version 28.1.2.2 contains an authentication bypass vulnerability that allows unauthenticated remote attackers to abuse alternate authentication paths and gain unauthorized access to the application. With a CVSS score of 9.8 and no patch currently available, this critical vulnerability poses an immediate risk to all affected installations.

Technical ContextAI

Contest Gallery is a WordPress plugin (CPE: cpe:2.3:a:wasiliy_strecker_/_contestgallery_developer:contest_gallery) designed for managing image contests and galleries within WordPress environments. The vulnerability stems from a CWE-288 class defect, which occurs when an application implements authentication controls through a primary mechanism but fails to properly secure alternate authentication paths or channels. In this case, the plugin likely implements supplementary authentication routes—such as API endpoints, direct file access, deprecated authentication methods, or alternative login mechanisms—that bypass the standard WordPress authentication framework. This allows attackers to circumvent nonce verification, capability checks, and session validation that would normally be enforced through primary authentication pathways. The affected versions extend through 28.1.2.2, suggesting a long window of vulnerable deployments across WordPress installations.

RemediationAI

Immediately upgrade Contest Gallery to a version newer than 28.1.2.2; check the official plugin repository or vendor website for the patched release. Until patching is possible, disable the Contest Gallery plugin entirely to eliminate exposure, or restrict access to contest gallery pages via WordPress user role capabilities and network-level firewall rules to prevent unauthorized authentication attempts. Additionally, implement WordPress security hardening measures including two-factor authentication (via a plugin such as Wordfence or iThemes Security), regular security audits of active plugins and themes, and monitoring of failed login attempts via access logs. Review user accounts for unexpected creation or privilege escalation and consider enforcing password resets for all administrative accounts post-remediation. For shared hosting environments, coordinate patching with your hosting provider to ensure timely deployment across all affected sites.

CVE-2021-24915 CRITICAL POC
9.8 Nov 29

The Contest Gallery WordPress plugin before 13.1.0.6 does not have capability checks and does not sanitise or escape the

CVE-2022-4158 HIGH POC
7.5 Dec 26

The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape

CVE-2022-4156 HIGH POC
7.5 Dec 26

The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape

CVE-2022-4166 MEDIUM POC
6.5 Dec 26

The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape

CVE-2022-4165 MEDIUM POC
6.5 Dec 26

The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape

CVE-2022-4164 MEDIUM POC
6.5 Dec 26

The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape

CVE-2022-4163 MEDIUM POC
6.5 Dec 26

The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape

CVE-2022-4162 MEDIUM POC
6.5 Dec 26

The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape

CVE-2022-4161 MEDIUM POC
6.5 Dec 26

The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape

CVE-2022-4160 MEDIUM POC
6.5 Dec 26

The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape

CVE-2022-4159 MEDIUM POC
6.5 Dec 26

The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape

CVE-2022-4153 MEDIUM POC
6.5 Dec 26

The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape

Share

CVE-2026-25035 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy