Skip to main content

Contest Gallery EUVDEUVD-2026-36822

| CVE-2026-42657 MEDIUM
Improper Validation of Specified Quantity in Input (CWE-1284)
2026-06-15 Patchstack GHSA-pvw3-j77v-26w9
5.3
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
vuln.today AI
5.3 MEDIUM

Network-reachable with no auth or interaction required; integrity impact is low and confined to plugin data, with no confirmed confidentiality or availability consequence.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jun 15, 2026 - 23:02 vuln.today
CVSS changed
Jun 15, 2026 - 21:22 NVD
6.5 (MEDIUM) 5.3 (MEDIUM)

DescriptionCVE.org

Unauthenticated Other Vulnerability Type in Contest Gallery <= 28.1.7 versions.

AnalysisAI

Unauthenticated integrity-impacting input validation failure in the Contest Gallery WordPress plugin affects all versions up to and including 28.1.7, allowing network-accessible attackers with no privileges to perform unauthorized write-class operations against the plugin. The CVSS vector confirms the unauthenticated, low-complexity attack path (AV:N/AC:L/PR:N/UI:N) with low integrity impact and unchanged scope. No public exploit code and no CISA KEV listing have been identified at time of analysis, placing this in a monitor-and-patch posture rather than emergency response.

Technical ContextAI

Contest Gallery is a WordPress plugin developed by Wasiliy Strecker, identified in CPE as cpe:2.3:a:wasiliy_strecker:contest_gallery:*:*:*:*:*:*:*:*. The root cause is classified under CWE-1284 (Improper Validation of Specified Quantity in Input), which describes a failure to properly validate a numeric or quantity-class parameter before using it in logic or data operations. In a contest/gallery plugin context, this likely manifests in vote counts, entry counts, or pagination parameters that are accepted from unauthenticated HTTP requests without adequate bounds checking or authorization enforcement, enabling an attacker to submit out-of-range or manipulated quantity values that alter stored state. A discrepancy exists between the 'Information Disclosure' tag applied by the reporter and the CVSS vector, which records C:N (no confidentiality impact) and I:L (low integrity impact) - suggesting the tag may reflect ancillary behavior or be inaccurate; analysts should verify with the Patchstack advisory.

RemediationAI

Upgrade the Contest Gallery WordPress plugin to a version later than 28.1.7 as soon as a patched release is published by the vendor; no specific fixed version number was confirmed in the available source data, so administrators should monitor the WordPress plugin repository and the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/contest-gallery/vulnerability/wordpress-contest-gallery-plugin-28-1-7-other-vulnerability-type-vulnerability for a confirmed fix version. If an immediate upgrade is not possible, consider restricting unauthenticated access to Contest Gallery endpoints via a web application firewall rule targeting plugin-specific REST API routes or form submission endpoints, noting that this may break intended public voting or submission functionality. Disabling the plugin entirely is the most definitive compensating control if the gallery feature is not business-critical, eliminating the attack surface at the cost of all plugin functionality until a patch is available.

CVE-2021-24915 CRITICAL POC
9.8 Nov 29

The Contest Gallery WordPress plugin before 13.1.0.6 does not have capability checks and does not sanitise or escape the

CVE-2022-4158 HIGH POC
7.5 Dec 26

The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape

CVE-2022-4156 HIGH POC
7.5 Dec 26

The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape

CVE-2022-4166 MEDIUM POC
6.5 Dec 26

The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape

CVE-2022-4165 MEDIUM POC
6.5 Dec 26

The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape

CVE-2022-4164 MEDIUM POC
6.5 Dec 26

The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape

CVE-2022-4163 MEDIUM POC
6.5 Dec 26

The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape

CVE-2022-4162 MEDIUM POC
6.5 Dec 26

The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape

CVE-2022-4161 MEDIUM POC
6.5 Dec 26

The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape

CVE-2022-4160 MEDIUM POC
6.5 Dec 26

The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape

CVE-2022-4159 MEDIUM POC
6.5 Dec 26

The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape

CVE-2022-4153 MEDIUM POC
6.5 Dec 26

The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape

Share

EUVD-2026-36822 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy