Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Network-reachable with no auth or interaction required; integrity impact is low and confined to plugin data, with no confirmed confidentiality or availability consequence.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
Unauthenticated Other Vulnerability Type in Contest Gallery <= 28.1.7 versions.
AnalysisAI
Unauthenticated integrity-impacting input validation failure in the Contest Gallery WordPress plugin affects all versions up to and including 28.1.7, allowing network-accessible attackers with no privileges to perform unauthorized write-class operations against the plugin. The CVSS vector confirms the unauthenticated, low-complexity attack path (AV:N/AC:L/PR:N/UI:N) with low integrity impact and unchanged scope. No public exploit code and no CISA KEV listing have been identified at time of analysis, placing this in a monitor-and-patch posture rather than emergency response.
Technical ContextAI
Contest Gallery is a WordPress plugin developed by Wasiliy Strecker, identified in CPE as cpe:2.3:a:wasiliy_strecker:contest_gallery:*:*:*:*:*:*:*:*. The root cause is classified under CWE-1284 (Improper Validation of Specified Quantity in Input), which describes a failure to properly validate a numeric or quantity-class parameter before using it in logic or data operations. In a contest/gallery plugin context, this likely manifests in vote counts, entry counts, or pagination parameters that are accepted from unauthenticated HTTP requests without adequate bounds checking or authorization enforcement, enabling an attacker to submit out-of-range or manipulated quantity values that alter stored state. A discrepancy exists between the 'Information Disclosure' tag applied by the reporter and the CVSS vector, which records C:N (no confidentiality impact) and I:L (low integrity impact) - suggesting the tag may reflect ancillary behavior or be inaccurate; analysts should verify with the Patchstack advisory.
RemediationAI
Upgrade the Contest Gallery WordPress plugin to a version later than 28.1.7 as soon as a patched release is published by the vendor; no specific fixed version number was confirmed in the available source data, so administrators should monitor the WordPress plugin repository and the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/contest-gallery/vulnerability/wordpress-contest-gallery-plugin-28-1-7-other-vulnerability-type-vulnerability for a confirmed fix version. If an immediate upgrade is not possible, consider restricting unauthenticated access to Contest Gallery endpoints via a web application firewall rule targeting plugin-specific REST API routes or form submission endpoints, noting that this may break intended public voting or submission functionality. Disabling the plugin entirely is the most definitive compensating control if the gallery feature is not business-critical, eliminating the attack surface at the cost of all plugin functionality until a patch is available.
More in Contest Gallery
View allThe Contest Gallery WordPress plugin before 13.1.0.6 does not have capability checks and does not sanitise or escape the
The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape
The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape
The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape
The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape
The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape
The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape
The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape
The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape
The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape
The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape
The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36822
GHSA-pvw3-j77v-26w9