Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
4DescriptionCVE.org
Authentication Bypass Using an Alternate Path or Channel vulnerability in Wasiliy Strecker / ContestGallery developer Contest Gallery contest-gallery allows Authentication Abuse.This issue affects Contest Gallery: from n/a through <= 28.1.2.2.
AnalysisAI
Contest Gallery through version 28.1.2.2 contains an authentication bypass vulnerability that allows unauthenticated remote attackers to abuse alternate authentication paths and gain unauthorized access to the application. With a CVSS score of 9.8 and no patch currently available, this critical vulnerability poses an immediate risk to all affected installations.
Technical ContextAI
Contest Gallery is a WordPress plugin (CPE: cpe:2.3:a:wasiliy_strecker_/_contestgallery_developer:contest_gallery) designed for managing image contests and galleries within WordPress environments. The vulnerability stems from a CWE-288 class defect, which occurs when an application implements authentication controls through a primary mechanism but fails to properly secure alternate authentication paths or channels. In this case, the plugin likely implements supplementary authentication routes—such as API endpoints, direct file access, deprecated authentication methods, or alternative login mechanisms—that bypass the standard WordPress authentication framework. This allows attackers to circumvent nonce verification, capability checks, and session validation that would normally be enforced through primary authentication pathways. The affected versions extend through 28.1.2.2, suggesting a long window of vulnerable deployments across WordPress installations.
RemediationAI
Immediately upgrade Contest Gallery to a version newer than 28.1.2.2; check the official plugin repository or vendor website for the patched release. Until patching is possible, disable the Contest Gallery plugin entirely to eliminate exposure, or restrict access to contest gallery pages via WordPress user role capabilities and network-level firewall rules to prevent unauthorized authentication attempts. Additionally, implement WordPress security hardening measures including two-factor authentication (via a plugin such as Wordfence or iThemes Security), regular security audits of active plugins and themes, and monitoring of failed login attempts via access logs. Review user accounts for unexpected creation or privilege escalation and consider enforcing password resets for all administrative accounts post-remediation. For shared hosting environments, coordinate patching with your hosting provider to ensure timely deployment across all affected sites.
More in Contest Gallery
View allThe Contest Gallery WordPress plugin before 13.1.0.6 does not have capability checks and does not sanitise or escape the
The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape
The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape
The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape
The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape
The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape
The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape
The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape
The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape
The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape
The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape
The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-15635
GHSA-4f6x-h73m-pq6f