Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
Incorrect Privilege Assignment vulnerability in Wasiliy Strecker / ContestGallery developer Contest Gallery Pro allows Privilege Escalation.
This issue affects Contest Gallery Pro: from n/a through 29.0.1.
AnalysisAI
Privilege escalation in the Contest Gallery Pro WordPress plugin (versions up to and including 29.0.1) allows remote unauthenticated attackers to gain elevated privileges within affected WordPress sites due to incorrect privilege assignment (CWE-266). The CVSS 9.8 score combined with network-reachable, no-authentication exploitation makes this a critical-severity issue, though no public exploit identified at time of analysis. The vulnerability was disclosed by Patchstack's audit team and currently has no entry in CISA KEV.
Technical ContextAI
Contest Gallery Pro is a commercial WordPress plugin developed by Wasiliy Strecker / ContestGallery for running photo contests and gallery competitions. The root cause is CWE-266 (Incorrect Privilege Assignment), meaning the plugin assigns privileges to users or actions that exceed what the intended authorization model permits - typically caused by missing capability checks (current_user_can), trusting client-supplied role/capability parameters in AJAX or REST endpoints, or improperly hooking into WordPress user-meta updates. In WordPress plugin ecosystems this class of bug commonly manifests as an unauthenticated endpoint that allows arbitrary role assignment or registration of accounts with elevated capabilities, effectively bypassing the site's role-based access control.
RemediationAI
Upgrade Contest Gallery Pro to a version newer than 29.0.1 as soon as the vendor publishes a fixed release - the exact patched version is not specified in the supplied data, so administrators should verify the current vendor download against the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/contest-gallery-pro/vulnerability/wordpress-contest-gallery-pro-plugin-29-0-1-privilege-escalation-vulnerability. Patch status per available data: Patch availability not specified in input - verify directly with the vendor. As compensating controls until patched, deactivate and remove the Contest Gallery Pro plugin from production sites (trade-off: contest functionality is lost), or place the WordPress admin and wp-json/admin-ajax.php endpoints behind a WAF with virtual-patching rules from Patchstack or Wordfence (trade-off: dependent on signature coverage), and audit wp_users / wp_usermeta for unexpected administrator-role assignments and recently-created accounts to detect prior exploitation.
Same weakness CWE-266 – Incorrect Privilege Assignment
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33657
GHSA-6r56-cp38-hcmg