Skip to main content

Contest Gallery Pro EUVDEUVD-2026-33657

| CVE-2026-42680 CRITICAL
Incorrect Privilege Assignment (CWE-266)
2026-06-01 audit@patchstack.com GHSA-6r56-cp38-hcmg
9.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 01, 2026 - 15:30 vuln.today

DescriptionCVE.org

Incorrect Privilege Assignment vulnerability in Wasiliy Strecker / ContestGallery developer Contest Gallery Pro allows Privilege Escalation.

This issue affects Contest Gallery Pro: from n/a through 29.0.1.

AnalysisAI

Privilege escalation in the Contest Gallery Pro WordPress plugin (versions up to and including 29.0.1) allows remote unauthenticated attackers to gain elevated privileges within affected WordPress sites due to incorrect privilege assignment (CWE-266). The CVSS 9.8 score combined with network-reachable, no-authentication exploitation makes this a critical-severity issue, though no public exploit identified at time of analysis. The vulnerability was disclosed by Patchstack's audit team and currently has no entry in CISA KEV.

Technical ContextAI

Contest Gallery Pro is a commercial WordPress plugin developed by Wasiliy Strecker / ContestGallery for running photo contests and gallery competitions. The root cause is CWE-266 (Incorrect Privilege Assignment), meaning the plugin assigns privileges to users or actions that exceed what the intended authorization model permits - typically caused by missing capability checks (current_user_can), trusting client-supplied role/capability parameters in AJAX or REST endpoints, or improperly hooking into WordPress user-meta updates. In WordPress plugin ecosystems this class of bug commonly manifests as an unauthenticated endpoint that allows arbitrary role assignment or registration of accounts with elevated capabilities, effectively bypassing the site's role-based access control.

RemediationAI

Upgrade Contest Gallery Pro to a version newer than 29.0.1 as soon as the vendor publishes a fixed release - the exact patched version is not specified in the supplied data, so administrators should verify the current vendor download against the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/contest-gallery-pro/vulnerability/wordpress-contest-gallery-pro-plugin-29-0-1-privilege-escalation-vulnerability. Patch status per available data: Patch availability not specified in input - verify directly with the vendor. As compensating controls until patched, deactivate and remove the Contest Gallery Pro plugin from production sites (trade-off: contest functionality is lost), or place the WordPress admin and wp-json/admin-ajax.php endpoints behind a WAF with virtual-patching rules from Patchstack or Wordfence (trade-off: dependent on signature coverage), and audit wp_users / wp_usermeta for unexpected administrator-role assignments and recently-created accounts to detect prior exploitation.

Share

EUVD-2026-33657 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy