CVE-2026-4021 (GCVE-0-2026-4021)

Vulnerability from cvelistv5 – Published: 2026-03-23 23:25 – Updated: 2026-04-08 17:32
VLAI?
Title
Contest Gallery <= 28.1.5 - Unauthenticated Privilege Escalation Admin Account Takeover via Registration Confirmation Email-to-ID Type Confusion
Summary
The Contest Gallery plugin for WordPress is vulnerable to an authentication bypass leading to admin account takeover in all versions up to, and including, 28.1.5. This is due to the email confirmation handler in `users-registry-check-after-email-or-pin-confirmation.php` using the user's email string in a `WHERE ID = %s` clause instead of the numeric user ID, combined with an unauthenticated key-based login endpoint in `ajax-functions-frontend.php`. When the non-default `RegMailOptional=1` setting is enabled, an attacker can register with a crafted email starting with the target user ID (e.g., `1poc@example.test`), trigger the confirmation flow to overwrite the admin's `user_activation_key` via MySQL integer coercion, and then use the `post_cg1l_login_user_by_key` AJAX action to authenticate as the admin without any credentials. This makes it possible for unauthenticated attackers to take over any WordPress administrator account and gain full site control.
Severity ?
8.1 (High)
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE
  • CWE-287 - Improper Authentication
Assigner
References
Impacted products
Vendor Product Version
contest-gallery Contest Gallery – Upload & Vote Photos, Media, Sell with PayPal & Stripe Affected: 0 , ≤ 28.1.5 (semver)
Create a notification for this product.
Credits
Supakiad S.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-4021",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-24T18:43:36.134537Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-24T18:43:43.168Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Contest Gallery \u2013 Upload \u0026 Vote Photos, Media, Sell with PayPal \u0026 Stripe",
          "vendor": "contest-gallery",
          "versions": [
            {
              "lessThanOrEqual": "28.1.5",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Supakiad S."
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The Contest Gallery plugin for WordPress is vulnerable to an authentication bypass leading to admin account takeover in all versions up to, and including, 28.1.5. This is due to the email confirmation handler in `users-registry-check-after-email-or-pin-confirmation.php` using the user\u0027s email string in a `WHERE ID = %s` clause instead of the numeric user ID, combined with an unauthenticated key-based login endpoint in `ajax-functions-frontend.php`. When the non-default `RegMailOptional=1` setting is enabled, an attacker can register with a crafted email starting with the target user ID (e.g., `1poc@example.test`), trigger the confirmation flow to overwrite the admin\u0027s `user_activation_key` via MySQL integer coercion, and then use the `post_cg1l_login_user_by_key` AJAX action to authenticate as the admin without any credentials. This makes it possible for unauthenticated attackers to take over any WordPress administrator account and gain full site control."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-287",
              "description": "CWE-287 Improper Authentication",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-08T17:32:30.381Z",
        "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "shortName": "Wordfence"
      },
      "references": [
        {
          "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f1b9725b-dee5-44ca-bb33-c6812fb76adc?source=cve"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/contest-gallery/trunk/v10/v10-admin/users/frontend/registry/users-registry-check-after-email-or-pin-confirmation.php#L153"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/contest-gallery/tags/28.1.4/v10/v10-admin/users/frontend/registry/users-registry-check-after-email-or-pin-confirmation.php#L153"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/contest-gallery/trunk/ajax/ajax-functions-frontend.php#L204"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/contest-gallery/tags/28.1.4/ajax/ajax-functions-frontend.php#L204"
        },
        {
          "url": "https://plugins.trac.wordpress.org/changeset?old_path=/contest-gallery/tags/28.1.5\u0026new_path=/contest-gallery/tags/28.1.6"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2026-03-11T20:26:17.000Z",
          "value": "Vendor Notified"
        },
        {
          "lang": "en",
          "time": "2026-03-23T11:19:11.000Z",
          "value": "Disclosed"
        }
      ],
      "title": "Contest Gallery \u003c= 28.1.5 - Unauthenticated Privilege Escalation Admin Account Takeover via Registration Confirmation Email-to-ID Type Confusion"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
    "assignerShortName": "Wordfence",
    "cveId": "CVE-2026-4021",
    "datePublished": "2026-03-23T23:25:50.405Z",
    "dateReserved": "2026-03-11T20:10:49.726Z",
    "dateUpdated": "2026-04-08T17:32:30.381Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-4021\",\"sourceIdentifier\":\"security@wordfence.com\",\"published\":\"2026-03-24T00:16:31.210\",\"lastModified\":\"2026-03-24T15:53:48.067\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"The Contest Gallery plugin for WordPress is vulnerable to an authentication bypass leading to admin account takeover in all versions up to, and including, 28.1.5. This is due to the email confirmation handler in `users-registry-check-after-email-or-pin-confirmation.php` using the user\u0027s email string in a `WHERE ID = %s` clause instead of the numeric user ID, combined with an unauthenticated key-based login endpoint in `ajax-functions-frontend.php`. When the non-default `RegMailOptional=1` setting is enabled, an attacker can register with a crafted email starting with the target user ID (e.g., `1poc@example.test`), trigger the confirmation flow to overwrite the admin\u0027s `user_activation_key` via MySQL integer coercion, and then use the `post_cg1l_login_user_by_key` AJAX action to authenticate as the admin without any credentials. This makes it possible for unauthenticated attackers to take over any WordPress administrator account and gain full site control.\"},{\"lang\":\"es\",\"value\":\"El plugin Contest Gallery para WordPress es vulnerable a una omisi\u00f3n de autenticaci\u00f3n que conduce a la toma de control de la cuenta de administrador en todas las versiones hasta la 28.1.5, inclusive. Esto se debe a que el gestor de confirmaci\u00f3n de correo electr\u00f3nico en `users-registry-check-after-email-or-pin-confirmation.php` utiliza la cadena de correo electr\u00f3nico del usuario en una cl\u00e1usula `WHERE ID = %s` en lugar del ID de usuario num\u00e9rico, combinado con un punto final de inicio de sesi\u00f3n basado en clave no autenticado en `ajax-functions-frontend.php`. Cuando la configuraci\u00f3n no predeterminada `RegMailOptional=1` est\u00e1 habilitada, un atacante puede registrarse con un correo electr\u00f3nico manipulado que comienza con el ID de usuario objetivo (p. ej., `1poc@example.test`), activar el flujo de confirmaci\u00f3n para sobrescribir la `user_activation_key` del administrador a trav\u00e9s de la coerci\u00f3n de enteros de MySQL, y luego usar la acci\u00f3n AJAX `post_cg1l_login_user_by_key` para autenticarse como administrador sin credenciales. Esto hace posible que atacantes no autenticados tomen el control de cualquier cuenta de administrador de WordPress y obtengan control total del sitio.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security@wordfence.com\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":8.1,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.2,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"security@wordfence.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-287\"}]}],\"references\":[{\"url\":\"https://plugins.trac.wordpress.org/browser/contest-gallery/tags/28.1.4/ajax/ajax-functions-frontend.php#L204\",\"source\":\"security@wordfence.com\"},{\"url\":\"https://plugins.trac.wordpress.org/browser/contest-gallery/tags/28.1.4/v10/v10-admin/users/frontend/registry/users-registry-check-after-email-or-pin-confirmation.php#L153\",\"source\":\"security@wordfence.com\"},{\"url\":\"https://plugins.trac.wordpress.org/browser/contest-gallery/trunk/ajax/ajax-functions-frontend.php#L204\",\"source\":\"security@wordfence.com\"},{\"url\":\"https://plugins.trac.wordpress.org/browser/contest-gallery/trunk/v10/v10-admin/users/frontend/registry/users-registry-check-after-email-or-pin-confirmation.php#L153\",\"source\":\"security@wordfence.com\"},{\"url\":\"https://plugins.trac.wordpress.org/changeset?old_path=/contest-gallery/tags/28.1.5\u0026new_path=/contest-gallery/tags/28.1.6\",\"source\":\"security@wordfence.com\"},{\"url\":\"https://www.wordfence.com/threat-intel/vulnerabilities/id/f1b9725b-dee5-44ca-bb33-c6812fb76adc?source=cve\",\"source\":\"security@wordfence.com\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-4021\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-03-24T18:43:36.134537Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-03-24T18:43:39.268Z\"}}], \"cna\": {\"title\": \"Contest Gallery \u003c= 28.1.5 - Unauthenticated Privilege Escalation Admin Account Takeover via Registration Confirmation Email-to-ID Type Confusion\", \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Supakiad S.\"}], \"metrics\": [{\"cvssV3_1\": {\"version\": \"3.1\", \"baseScore\": 8.1, \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\"}}], \"affected\": [{\"vendor\": \"contest-gallery\", \"product\": \"Contest Gallery \\u2013 Upload \u0026 Vote Photos, Media, Sell with PayPal \u0026 Stripe\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"28.1.5\"}], \"defaultStatus\": \"unaffected\"}], \"timeline\": [{\"lang\": \"en\", \"time\": \"2026-03-11T20:26:17.000Z\", \"value\": \"Vendor Notified\"}, {\"lang\": \"en\", \"time\": \"2026-03-23T11:19:11.000Z\", \"value\": \"Disclosed\"}], \"references\": [{\"url\": \"https://www.wordfence.com/threat-intel/vulnerabilities/id/f1b9725b-dee5-44ca-bb33-c6812fb76adc?source=cve\"}, {\"url\": \"https://plugins.trac.wordpress.org/browser/contest-gallery/trunk/v10/v10-admin/users/frontend/registry/users-registry-check-after-email-or-pin-confirmation.php#L153\"}, {\"url\": \"https://plugins.trac.wordpress.org/browser/contest-gallery/tags/28.1.4/v10/v10-admin/users/frontend/registry/users-registry-check-after-email-or-pin-confirmation.php#L153\"}, {\"url\": \"https://plugins.trac.wordpress.org/browser/contest-gallery/trunk/ajax/ajax-functions-frontend.php#L204\"}, {\"url\": \"https://plugins.trac.wordpress.org/browser/contest-gallery/tags/28.1.4/ajax/ajax-functions-frontend.php#L204\"}, {\"url\": \"https://plugins.trac.wordpress.org/changeset?old_path=/contest-gallery/tags/28.1.5\u0026new_path=/contest-gallery/tags/28.1.6\"}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"The Contest Gallery plugin for WordPress is vulnerable to an authentication bypass leading to admin account takeover in all versions up to, and including, 28.1.5. This is due to the email confirmation handler in `users-registry-check-after-email-or-pin-confirmation.php` using the user\u0027s email string in a `WHERE ID = %s` clause instead of the numeric user ID, combined with an unauthenticated key-based login endpoint in `ajax-functions-frontend.php`. When the non-default `RegMailOptional=1` setting is enabled, an attacker can register with a crafted email starting with the target user ID (e.g., `1poc@example.test`), trigger the confirmation flow to overwrite the admin\u0027s `user_activation_key` via MySQL integer coercion, and then use the `post_cg1l_login_user_by_key` AJAX action to authenticate as the admin without any credentials. This makes it possible for unauthenticated attackers to take over any WordPress administrator account and gain full site control.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-287\", \"description\": \"CWE-287 Improper Authentication\"}]}], \"providerMetadata\": {\"orgId\": \"b15e7b5b-3da4-40ae-a43c-f7aa60e62599\", \"shortName\": \"Wordfence\", \"dateUpdated\": \"2026-04-08T17:32:30.381Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-4021\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-04-08T17:32:30.381Z\", \"dateReserved\": \"2026-03-11T20:10:49.726Z\", \"assignerOrgId\": \"b15e7b5b-3da4-40ae-a43c-f7aa60e62599\", \"datePublished\": \"2026-03-23T23:25:50.405Z\", \"assignerShortName\": \"Wordfence\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.