Authentication Bypass in Contest Gallery Plugin for WordPress
CVE-2026-4021

8.1HIGH

Key Information:

Vendor: WordPress
Status: Contest Gallery – Upload & Vote Photos, Media, Sell With Paypal & Stripe
Vendor: CVE Published:; 23 March 2026

What is CVE-2026-4021?

The Contest Gallery plugin for WordPress contains a vulnerability that allows an unauthorized attacker to bypass authentication and take control of administrator accounts. This issue stems from the use of the user's email address in the SQL query for authentication, rather than utilizing the numeric user ID. An attacker can exploit this flaw by registering with a specially crafted email address to manipulate the admin's activation key during the email confirmation phase. By leveraging an unauthenticated key-based login, an attacker can authenticate as an admin, leading to complete site control. This vulnerability affects all versions of the plugin up to and including 28.1.5.

Affected Version(s)

Contest Gallery – Upload & Vote Photos, Media, Sell with PayPal & Stripe * <= 28.1.5

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/contest-galler...

CVSS V3.1

Score:

8.1

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 23, 2026
Vulnerability Reserved
Mar 11, 2026

Credit

Supakiad S.

CVE-2026-4021 Data

JSON