CVE-2024-11103

Name of the Vulnerable Software and Affected Versions Contest Gallery plugin for WordPress versions up to, and including, 24.0.7

Description The issue is related to privilege escalation via account takeover due to the plugin not properly validating a user's identity prior to updating their password. This allows unauthenticated attackers to change arbitrary user's passwords, including administrators, and gain access to their account.

Recommendations For versions up to, and including, 24.0.7, update to a version that properly validates user identity before allowing password updates. As a temporary workaround, consider restricting access to password update functionality until a secure update is available.