Executive Summary

CVE-2026-24965 is a Broken Access Control vulnerability in the WordPress Contest Gallery Plugin versions up to and including 28.1.1.

The issue arises from missing authorization, authentication, or nonce token checks within certain plugin functions.

This allows unprivileged users, such as those with Subscriber or Developer roles, to perform actions that should be restricted to higher-privileged users.

The vulnerability is classified under the OWASP Top 10 category A1: Broken Access Control and has a low severity score (CVSS 4.3).

It was fixed in version 28.1.2 of the plugin.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows users with low-level privileges to escalate their permissions and perform actions reserved for higher-privileged users.

Such unauthorized privilege escalation can lead to unauthorized changes or access within the Contest Gallery plugin.

However, the impact is considered low severity and exploitation is unlikely.

Updating the plugin to version 28.1.2 or later mitigates this risk.

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate the CVE-2026-24965 vulnerability in the WordPress Contest Gallery Plugin, you should update the plugin to version 28.1.2 or later, where the issue has been fixed.

Patchstack also offers automatic updates for vulnerable plugins, which can provide rapid protection against this vulnerability.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability CVE-2026-24965 is a broken access control issue that allows unauthorized privilege escalation in the Contest Gallery WordPress plugin. While it permits unprivileged users to perform actions reserved for higher-privileged users, the severity is rated low (CVSS 4.3) with low impact and unlikely exploitation.

There is no specific information provided about how this vulnerability directly affects compliance with common standards and regulations such as GDPR or HIPAA.

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability is a Broken Access Control issue in the WordPress Contest Gallery Plugin versions up to 28.1.1, caused by missing authorization checks allowing unauthorized privilege escalation.'}, {'type': 'paragraph', 'content': 'To detect this vulnerability on your system, you should first verify the installed version of the Contest Gallery Plugin. If the version is 28.1.1 or lower, the plugin is vulnerable.'}, {'type': 'paragraph', 'content': 'A common method to check the plugin version on a WordPress site is to use WP-CLI commands or inspect the plugin files directly.'}, {'type': 'list_item', 'content': 'Use WP-CLI to list installed plugins and their versions: wp plugin list'}, {'type': 'list_item', 'content': 'Check the plugin version specifically: wp plugin get contest-gallery --field=version'}, {'type': 'list_item', 'content': "Alternatively, inspect the plugin's main PHP file (usually contest-gallery.php) in the wp-content/plugins/contest-gallery/ directory for the version header."}, {'type': 'paragraph', 'content': 'Since the vulnerability involves missing authorization checks, detecting exploitation attempts may require monitoring for unauthorized actions performed by low-privileged users, which can be done by reviewing WordPress logs or enabling audit logging plugins.'}, {'type': 'paragraph', 'content': 'No specific network commands or signatures are provided for direct detection of exploitation attempts in the available resources.'}, {'type': 'paragraph', 'content': 'The recommended mitigation is to update the plugin to version 28.1.2 or later.'}] [1]

Useful 0 Not Useful 0