CVE-2026-25035
Authentication Bypass in Contest Gallery Allows Unauthorized Access
Publication date: 2026-03-25
Last updated on: 2026-04-23
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| contest_gallery | contest_gallery | to 28.1.2.2 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-288 | The product requires authentication, but the product has an alternate path or channel that does not require authentication. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-25035 is a high-severity authentication bypass vulnerability in the WordPress Contest Gallery Plugin versions up to 28.1.2.2.
This vulnerability allows unauthenticated attackers to perform actions normally restricted to higher-privileged users, potentially gaining administrative access to affected websites.
It falls under the OWASP Top 10 category A7: Identification and Authentication Failures.
The issue was reported by a researcher and patched in version 28.1.3 of the plugin.
How can this vulnerability impact me? :
This vulnerability can allow attackers to gain unauthorized administrative access to your website.
Such access could lead to full control over the website, including modifying content, stealing data, or deploying malicious code.
Because it is a critical flaw with a CVSS score of 9.8, it is highly likely to be exploited in widespread attack campaigns.
Failure to remediate this vulnerability promptly could result in significant security breaches and loss of trust.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
The vulnerability allows unauthenticated attackers to perform actions typically restricted to higher-privileged users by exploiting a broken authentication flaw in the Contest Gallery plugin up to version 28.1.2.2.
Detection on your network or system would involve monitoring for unusual or unauthorized access attempts to the Contest Gallery plugin endpoints, especially those that could lead to administrative access without proper authentication.
Specific commands or detection signatures are not provided in the available resources.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to update the Contest Gallery plugin to version 28.1.3 or later, where the vulnerability has been patched.
Until the update can be applied, users are advised to use Patchstack's automatic mitigation rule which blocks exploitation attempts.
If unable to update promptly, seek assistance from your hosting provider or web developer to implement temporary protections.
Enabling auto-updates for vulnerable plugins is also recommended to ensure rapid protection against such vulnerabilities.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in the Contest Gallery plugin allows unauthenticated attackers to gain administrative access, which constitutes a critical authentication failure. Such unauthorized access can lead to data breaches or unauthorized data manipulation, potentially impacting compliance with standards like GDPR and HIPAA that require strict access controls and protection of sensitive data.
Because this flaw falls under the OWASP Top 10 category A7: Identification and Authentication Failures, it directly undermines the security controls necessary to meet regulatory requirements for protecting personal and sensitive information.
Therefore, failure to promptly patch this vulnerability could result in non-compliance with regulations that mandate safeguarding user data and ensuring only authorized access.