Privilege Escalation in Contest Gallery Plugin for WordPress by WordPress
CVE-2026-12165

8.8HIGH

Key Information:

Vendor: WordPress
Status: Contest Gallery – Upload & Vote Photos, Media, Sell With Paypal & Stripe
Vendor: CVE Published:; 17 June 2026

What is CVE-2026-12165?

The Contest Gallery plugin for WordPress is susceptible to privilege escalation due to improper handling of user roles. Authenticated users with author-level access can exploit the RegistryUserRole parameter to override the plugin's stored role with 'administrator'. This flaw arises from insufficient verification in the change-options-and-sizes.php file, where the current_user_can() function is inadequately implemented. As a result, a malicious actor can gain unauthorized administrative access, potentially compromising the security of the entire WordPress site.

Affected Version(s)

Contest Gallery – Upload & Vote Photos, Media, Sell with PayPal & Stripe 0 <= 30.0.2

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/contest-galler...

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 17, 2026
Vulnerability Reserved
Jun 12, 2026

Credit

Chloe Chamberland

PRISM

CVE-2026-12165 Data

JSON