CVE-2026-25035
Received Received - Intake
Authentication Bypass in Contest Gallery Allows Unauthorized Access

Publication date: 2026-03-25

Last updated on: 2026-04-23

Assigner: Patchstack

Description
Authentication Bypass Using an Alternate Path or Channel vulnerability in Wasiliy Strecker / ContestGallery developer Contest Gallery contest-gallery allows Authentication Abuse.This issue affects Contest Gallery: from n/a through <= 28.1.2.2.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-25
Last Modified
2026-04-23
Generated
2026-06-16
AI Q&A
2026-03-25
EPSS Evaluated
2026-06-14
NVD
CVE-2026-25035
EUVD
EUVD-2026-15635
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
contest_gallery contest_gallery to 28.1.2.2 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-288 The product requires authentication, but the product has an alternate path or channel that does not require authentication.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-25035 is a high-severity authentication bypass vulnerability in the WordPress Contest Gallery Plugin versions up to 28.1.2.2.

This vulnerability allows unauthenticated attackers to perform actions normally restricted to higher-privileged users, potentially gaining administrative access to affected websites.

It falls under the OWASP Top 10 category A7: Identification and Authentication Failures.

The issue was reported by a researcher and patched in version 28.1.3 of the plugin.

Impact Analysis

This vulnerability can allow attackers to gain unauthorized administrative access to your website.

Such access could lead to full control over the website, including modifying content, stealing data, or deploying malicious code.

Because it is a critical flaw with a CVSS score of 9.8, it is highly likely to be exploited in widespread attack campaigns.

Failure to remediate this vulnerability promptly could result in significant security breaches and loss of trust.

Detection Guidance

The vulnerability allows unauthenticated attackers to perform actions typically restricted to higher-privileged users by exploiting a broken authentication flaw in the Contest Gallery plugin up to version 28.1.2.2.

Detection on your network or system would involve monitoring for unusual or unauthorized access attempts to the Contest Gallery plugin endpoints, especially those that could lead to administrative access without proper authentication.

Specific commands or detection signatures are not provided in the available resources.

Mitigation Strategies

The immediate mitigation step is to update the Contest Gallery plugin to version 28.1.3 or later, where the vulnerability has been patched.

Until the update can be applied, users are advised to use Patchstack's automatic mitigation rule which blocks exploitation attempts.

If unable to update promptly, seek assistance from your hosting provider or web developer to implement temporary protections.

Enabling auto-updates for vulnerable plugins is also recommended to ensure rapid protection against such vulnerabilities.

Compliance Impact

The vulnerability in the Contest Gallery plugin allows unauthenticated attackers to gain administrative access, which constitutes a critical authentication failure. Such unauthorized access can lead to data breaches or unauthorized data manipulation, potentially impacting compliance with standards like GDPR and HIPAA that require strict access controls and protection of sensitive data.

Because this flaw falls under the OWASP Top 10 category A7: Identification and Authentication Failures, it directly undermines the security controls necessary to meet regulatory requirements for protecting personal and sensitive information.

Therefore, failure to promptly patch this vulnerability could result in non-compliance with regulations that mandate safeguarding user data and ensuring only authorized access.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-25035. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart