CVE-2026-4021 - Contest Gallery WordPress Plugin - Authentication Bypass

Overview

Contest Gallery WordPress plugin <= 28.1.5 contains an authentication bypass caused by improper use of email in SQL query and unauthenticated key-based login, letting unauthenticated attackers take over admin accounts, exploit requires RegMailOptional=1 enabled.

Severity & Score

Severity: High

CVSS Score: 8.1

EPSS Score: 0.0%(Probability of exploitation in next 30 days)

Impact

Unauthenticated attackers can take over any admin account, gaining full site control.

Mitigation

Update to a version later than 28.1.5 or apply vendor patches.

References

Social Media Activity(2 posts)

TheHackerWire

@thehackerwire

Mar 24, 2026

🟠 CVE-2026-4021 - High (8.1) The Contest Gallery plugin for WordPress is vulnerable to an authentication bypass leading to admin account takeover in all versions up to, and including, 28.1.5. This is due to the email confirmation handler in `users-registry-check-after-email-o... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-4021/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

TheHackerWire

@thehackerwire

Mar 24, 2026

🟠 CVE-2026-4021 - High (8.1) The Contest Gallery plugin for WordPress is vulnerable to an authentication bypass leading to admin account takeover in all versions up to, and including, 28.1.5. This is due to the email confirmation handler in `users-registry-check-after-email-o... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-4021/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

CVE-2026-4021 - Vulnerability Analysis

Overview

Severity & Score

Impact

Mitigation

References

Social Media Activity(2 posts)

Related Resources

Details

CWE

CVSS Metrics

EPSS Score