CVE-2026-4021

Name of the Vulnerable Software and Affected Versions Contest Gallery plugin for WordPress versions through 28.1.5

Description The Contest Gallery plugin for WordPress is susceptible to an authentication bypass, potentially allowing unauthorized takeover of administrator accounts. This occurs because the email confirmation handler in users-registry-check-after-email-or-pin-confirmation.php incorrectly uses the user's email string in a SQL query (WHERE ID = %s) instead of the numeric user ID. This, combined with an unauthenticated key-based login endpoint in ajax-functions-frontend.php, allows an attacker to exploit the system when the RegMailOptional setting is enabled. An attacker can register with a crafted email address starting with the target user ID (e.g., 1poc@example.test), triggering the confirmation process to overwrite the administrator's user activation key through MySQL integer coercion. Subsequently, the attacker can utilize the post cg1l login user by key AJAX action to authenticate as the administrator without any credentials, gaining full control of the site.

Recommendations Versions prior to 28.1.5 should be updated to a newer version. As a temporary workaround, consider disabling the RegMailOptional setting to prevent the exploitation of this issue. Restrict access to the ajax-functions-frontend.php file to minimize the risk of exploitation.