Skip to main content

Contest Gallery CVE-2026-42656

| EUVDEUVD-2026-36821 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-06-15 Patchstack GHSA-x3gw-fxqf-c5pw
6.5
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
vuln.today AI
5.4 MEDIUM

Subscriber account required (PR:L); admin must view payload (UI:R); scope changes to admin session; no availability impact justified by XSS description.

3.1 AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jun 15, 2026 - 23:02 vuln.today

DescriptionCVE.org

Subscriber Cross Site Scripting (XSS) in Contest Gallery <= 28.1.6 versions.

AnalysisAI

Cross-site scripting in the Contest Gallery WordPress plugin (versions <= 28.1.6) can be triggered by a subscriber-level authenticated user, injecting malicious scripts that execute in the browsers of higher-privileged users such as administrators. The CVSS Scope:Changed metric confirms the payload escapes the subscriber's privilege boundary and impacts other user sessions. No public exploit code or CISA KEV listing has been identified at time of analysis, but the low attack complexity and broad WordPress ecosystem deployment surface make this a meaningful risk for any site accepting subscriber registrations.

Technical ContextAI

Contest Gallery is a WordPress plugin developed by Wasiliy Strecker (CPE: cpe:2.3:a:wasiliy_strecker:contest_gallery:*:*:*:*:*:*:*:*) that enables photo contest functionality on WordPress sites. CWE-79 (Improper Neutralization of Input During Web Page Generation) identifies the root cause as insufficient output encoding or input sanitization of subscriber-controlled data before it is rendered in HTML pages. In the WordPress privilege model, the 'Subscriber' role is the lowest authenticated role, capable of reading content and managing their own profile - meaning any registered user can trigger this flaw. The CVSS vector's S:C (Scope Changed) component indicates stored XSS behavior: the injected payload persists server-side and executes in the browser context of other users, most dangerously site administrators, allowing privilege escalation or session hijacking without requiring direct exploitation of admin credentials.

RemediationAI

Upstream fix availability has not been independently confirmed from the provided data - no exact patched version number is specified in the Patchstack advisory reference or EUVD entry. WordPress administrators should immediately check the official WordPress plugin repository and the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/contest-gallery/vulnerability/wordpress-contest-gallery-plugin-28-1-6-cross-site-scripting-xss-vulnerability) for a released update beyond version 28.1.6 and apply it as soon as one is available. As a compensating control while awaiting a patch, restrict or disable open subscriber registration on the affected WordPress site via Settings > General > uncheck 'Anyone can register' - this eliminates the PR:L attack surface but may disrupt contest participation workflows. Additionally, deploying a web application firewall (WAF) rule targeting XSS payloads in plugin-specific endpoints can reduce exposure. Audit existing subscriber accounts for unexpected registrations. Do not rely solely on WAF mitigation if subscriber registration must remain open.

CVE-2021-24915 CRITICAL POC
9.8 Nov 29

The Contest Gallery WordPress plugin before 13.1.0.6 does not have capability checks and does not sanitise or escape the

CVE-2022-4158 HIGH POC
7.5 Dec 26

The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape

CVE-2022-4156 HIGH POC
7.5 Dec 26

The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape

CVE-2022-4166 MEDIUM POC
6.5 Dec 26

The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape

CVE-2022-4165 MEDIUM POC
6.5 Dec 26

The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape

CVE-2022-4164 MEDIUM POC
6.5 Dec 26

The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape

CVE-2022-4163 MEDIUM POC
6.5 Dec 26

The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape

CVE-2022-4162 MEDIUM POC
6.5 Dec 26

The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape

CVE-2022-4161 MEDIUM POC
6.5 Dec 26

The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape

CVE-2022-4160 MEDIUM POC
6.5 Dec 26

The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape

CVE-2022-4159 MEDIUM POC
6.5 Dec 26

The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape

CVE-2022-4153 MEDIUM POC
6.5 Dec 26

The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape

Share

CVE-2026-42656 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy