CVE-2026-4021
Published: 24 March 2026
Description
The Contest Gallery plugin for WordPress is vulnerable to an authentication bypass leading to admin account takeover in all versions up to, and including, 28.1.5. This is due to the email confirmation handler in `users-registry-check-after-email-or-pin-confirmation.php` using the user's email string…
more
in a `WHERE ID = %s` clause instead of the numeric user ID, combined with an unauthenticated key-based login endpoint in `ajax-functions-frontend.php`. When the non-default `RegMailOptional=1` setting is enabled, an attacker can register with a crafted email starting with the target user ID (e.g., `1poc@example.test`), trigger the confirmation flow to overwrite the admin's `user_activation_key` via MySQL integer coercion, and then use the `post_cg1l_login_user_by_key` AJAX action to authenticate as the admin without any credentials. This makes it possible for unauthenticated attackers to take over any WordPress administrator account and gain full site control.
Mitigating Controls (NIST 800-53 r5)AI
Flaw remediation directly mitigates this CVE by updating the Contest Gallery plugin to version 28.1.6, which fixes the flawed SQL handling and authentication logic.
Information input validation prevents crafted email addresses from exploiting MySQL integer coercion in the SQL WHERE clause to overwrite user activation keys.
Authenticator management secures user activation keys against unauthorized overwrite and misuse in unauthenticated key-based login endpoints.
Security SummaryAI
CVE-2026-4021 is an authentication bypass vulnerability in the Contest Gallery plugin for WordPress, affecting all versions up to and including 28.1.5. The issue arises in the email confirmation handler within `users-registry-check-after-email-or-pin-confirmation.php`, which incorrectly uses the user's email string in a `WHERE ID = %s` SQL clause instead of the numeric user ID. This is combined with an unauthenticated key-based login endpoint in `ajax-functions-frontend.php`. The vulnerability has a CVSS v3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-287 (Improper Authentication).
Unauthenticated attackers can exploit the vulnerability when the non-default `RegMailOptional=1` setting is enabled. By registering an account with a crafted email address starting with the target administrator's numeric user ID—such as `1poc@example.test` for user ID 1—they trigger the confirmation flow. MySQL integer coercion in the flawed SQL query allows this to overwrite the target admin's `user_activation_key`. The attacker then invokes the `post_cg1l_login_user_by_key` AJAX action to authenticate as the administrator without any credentials, resulting in full WordPress site control.
The plugin's trac repository provides code references to the vulnerable lines in versions 28.1.4 and the trunk, along with a changeset documenting changes from 28.1.5 to 28.1.6, indicating that updating to version 28.1.6 addresses the issue by fixing the SQL handling and related logic.
Details
- CWE(s)
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is an unauthenticated authentication bypass in a public-facing WordPress plugin, enabling remote exploitation to achieve administrator account takeover and full site control.