CVE-2026-4021 Overview
The Contest Gallery plugin for WordPress contains a critical authentication bypass vulnerability that enables complete administrator account takeover in all versions up to and including 28.1.5. This vulnerability stems from a dangerous combination of improper input validation in the email confirmation handler and an unauthenticated key-based login endpoint, allowing attackers to hijack any WordPress administrator account without credentials.
Critical Impact
Unauthenticated attackers can take over any WordPress administrator account and gain full site control through a multi-stage attack exploiting MySQL integer coercion and improper authentication key handling.
Affected Products
- Contest Gallery plugin for WordPress versions up to and including 28.1.5
- WordPress installations with Contest Gallery using non-default RegMailOptional=1 setting
- Any WordPress site where Contest Gallery user registration is enabled
Discovery Timeline
- 2026-03-24 - CVE-2026-4021 published to NVD
- 2026-03-24 - Last updated in NVD database
Technical Details for CVE-2026-4021
Vulnerability Analysis
This authentication bypass vulnerability (CWE-287) affects the Contest Gallery plugin through a sophisticated attack chain that exploits multiple weaknesses in the user registration and authentication flow. The vulnerability is accessible over the network without any authentication requirements, though exploitation requires specific site configuration and multiple steps to execute successfully.
The core issue lies in how the plugin handles user identity verification during the email confirmation process. Instead of properly validating user identity through numeric IDs, the vulnerable code in users-registry-check-after-email-or-pin-confirmation.php incorrectly uses the user's email string in a WHERE ID = %s SQL clause. This type confusion, combined with MySQL's integer coercion behavior, creates a path to overwrite arbitrary user activation keys.
When successfully exploited, attackers gain complete administrative access to the WordPress installation, enabling them to modify site content, install malicious plugins, create additional backdoor accounts, or pivot to underlying server infrastructure.
Root Cause
The vulnerability stems from two interconnected coding errors in the Contest Gallery plugin:
Type Confusion in Email Confirmation Handler: The file users-registry-check-after-email-or-pin-confirmation.php uses the user's email string in an SQL WHERE ID = %s clause instead of the numeric user ID. MySQL's type coercion automatically converts string values to integers by extracting leading numeric characters, meaning an email like 1poc@example.test becomes the integer 1 when used in an ID comparison.
Unauthenticated Login Endpoint: The post_cg1l_login_user_by_key AJAX action in ajax-functions-frontend.php allows authentication using only an activation key without requiring any other credentials, providing the final step attackers need to complete the account takeover.
Attack Vector
The attack requires the non-default RegMailOptional=1 configuration to be enabled on the target WordPress installation. An attacker exploits this vulnerability through the following sequence:
Registration Phase: The attacker registers a new user account with a specially crafted email address that begins with the target user's numeric ID (e.g., 1poc@example.test to target user ID 1, typically the administrator).
Activation Key Overwrite: When the attacker triggers the email confirmation flow, MySQL's integer coercion causes the activation key update query to affect the administrator's record instead of the attacker's account, effectively overwriting the admin's user_activation_key.
Authentication Bypass: Using the known activation key and the post_cg1l_login_user_by_key AJAX endpoint, the attacker authenticates as the administrator without needing any password or other credentials.
The vulnerability is accessible via the network through standard WordPress AJAX endpoints, requiring no prior authentication for the initial registration and confirmation steps.
Detection Methods for CVE-2026-4021
Indicators of Compromise
- User registrations with email addresses starting with numeric characters followed by non-standard domains (e.g., 1@attacker.com, 1poc@example.test)
- Unexpected changes to the user_activation_key field for administrator accounts in the WordPress wp_users table
- AJAX requests to post_cg1l_login_user_by_key action from IP addresses not associated with legitimate user activity
- Multiple failed or successful authentication events for admin accounts without corresponding login form submissions
Detection Strategies
- Monitor WordPress AJAX endpoints for requests to post_cg1l_login_user_by_key with suspicious activation keys
- Implement logging for all user registration events and flag emails with leading numeric patterns
- Deploy Web Application Firewall (WAF) rules to detect and block malformed email addresses in registration requests
- Review Contest Gallery database queries for anomalous WHERE ID = clauses that receive string input
Monitoring Recommendations
- Enable comprehensive logging for WordPress user registration and authentication events
- Set up alerts for administrative account access from new or unusual IP addresses
- Monitor the WordPress wp_users table for unexpected modifications to the user_activation_key column
- Review Contest Gallery plugin configuration to ensure RegMailOptional setting status is tracked
How to Mitigate CVE-2026-4021
Immediate Actions Required
- Update Contest Gallery plugin to version 28.1.6 or later immediately
- Audit all administrator accounts for unauthorized access or unexpected activation key changes
- Review user registration logs for suspicious email patterns beginning with numeric IDs
- If update is not immediately possible, disable user registration features in Contest Gallery
- Reset all administrator passwords and regenerate activation keys after patching
Patch Information
The vulnerability has been addressed in Contest Gallery version 28.1.6. The security patch corrects the type confusion issue in the email confirmation handler by properly validating user identity through numeric IDs rather than email strings. Organizations should review the WordPress Contest Gallery Change Log for complete details on the security fixes. Additional vulnerability intelligence is available from the Wordfence Vulnerability Intelligence database.
Workarounds
- Disable the RegMailOptional setting (set to 0) to require email verification, removing one precondition for exploitation
- Temporarily disable user registration functionality within the Contest Gallery plugin until patching is complete
- Implement WAF rules to block registration attempts with email addresses containing leading numeric characters
- Restrict access to WordPress AJAX endpoints from untrusted IP ranges where operationally feasible
- Consider temporarily deactivating the Contest Gallery plugin entirely on high-value sites until patched
# Configuration example - Disable Contest Gallery registration
# Add to wp-config.php or plugin configuration to disable registration
# until the plugin can be updated to version 28.1.6
# Review plugin settings in WordPress admin:
# Dashboard > Contest Gallery > Settings > Registration
# Set RegMailOptional to 0 (disabled) if available
# Or disable user registration entirely until patched
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
