CVE-2026-24964
Server-Side Request Forgery in Contest Gallery
Publication date: 2026-03-25
Last updated on: 2026-04-23
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| contest_gallery | contest_gallery | to 28.1.2.1 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-918 | The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :
The SSRF vulnerability can allow attackers to induce your website to make arbitrary HTTP requests, which may expose sensitive information from internal services.
This can lead to further compromise of your system and potentially allow attackers to escalate their access.
Because the vulnerability requires only subscriber or developer privileges to exploit, it can be targeted in mass-exploit campaigns affecting many websites.
Immediate action, such as updating the plugin to version 28.1.2.2 or later, is recommended to prevent exploitation.
What immediate steps should I take to mitigate this vulnerability?
To mitigate the Server-Side Request Forgery (SSRF) vulnerability in the Contest Gallery plugin, users are strongly advised to update the plugin to version 28.1.2.2 or later, where the issue has been patched.
Until the update is applied, Patchstack provides an automatic mitigation rule that blocks exploitation attempts.
Additional recommended actions include enabling auto-updates for vulnerable plugins to ensure rapid protection and seeking assistance from hosting providers or web developers if needed.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows attackers to induce the affected website to make arbitrary HTTP requests to attacker-controlled domains, potentially accessing sensitive information from other services on the same system. This unauthorized access to sensitive data could lead to non-compliance with data protection regulations such as GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access.
Exploitation of this SSRF vulnerability may result in data breaches or exposure of confidential information, which are critical compliance concerns under these regulations. Therefore, failure to address this vulnerability could increase the risk of violating common standards and regulations that mandate strict data security controls.
Mitigation by updating the plugin to a patched version is strongly recommended to maintain compliance and reduce the risk of exploitation.
Can you explain this vulnerability to me?
CVE-2026-24964 is a Server-Side Request Forgery (SSRF) vulnerability found in the WordPress Contest Gallery Plugin versions up to and including 28.1.2.1.
This vulnerability allows an attacker to make the affected website send arbitrary HTTP requests to attacker-controlled domains.
Exploiting this flaw can enable attackers to access sensitive information from other services running on the same system, potentially leading to further compromise.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
The vulnerability is a Server Side Request Forgery (SSRF) in the Contest Gallery WordPress plugin up to version 28.1.2.1. Detection involves monitoring for unusual HTTP requests originating from the affected website to attacker-controlled domains.
To detect exploitation attempts on your system or network, you can:
- Check web server logs for unexpected outbound HTTP requests or unusual URL patterns that may indicate SSRF attempts.
- Use network monitoring tools to identify outbound requests to suspicious or unknown external domains.
- Employ intrusion detection systems (IDS) or web application firewalls (WAF) with rules to detect or block SSRF payloads targeting the Contest Gallery plugin.
Specific commands depend on your environment, but examples include:
- Using grep to search web server logs for suspicious request patterns, e.g., `grep -i 'http://' /var/log/apache2/access.log` or `grep 'contest-gallery' /var/log/apache2/access.log`.
- Using network monitoring tools like tcpdump to capture outbound HTTP traffic, e.g., `tcpdump -i eth0 tcp port 80 or tcp port 443`.
- Checking for plugin version with WP-CLI: `wp plugin get contest-gallery --field=version` to confirm if the vulnerable version is installed.
Ultimately, updating the plugin to version 28.1.2.2 or later is the recommended mitigation to prevent exploitation.