The Contest Gallery plugin for WordPress, widely used for managing photo contests and media sales, contains a critical authentication bypass vulnerability (CVE-2026-4021) due to improper authentication (CWE-287). The vulnerability stems from the email confirmation handler in the file users-registry-check-after-email-or-pin-confirmation.php, which incorrectly uses the user's email string in a SQL WHERE clause expecting a numeric user ID. Specifically, the query uses WHERE ID = %s with the email string, causing MySQL to coerce the string to an integer, which can be exploited when the RegMailOptional=1 setting is enabled. An attacker can register an account with a crafted email starting with the numeric ID of a target administrator (e.g., '1poc@example.test' where '1' is the admin user ID). During the confirmation process, this crafted email causes the admin's user_activation_key to be overwritten. Subsequently, the attacker can leverage an unauthenticated AJAX login endpoint (post_cg1l_login_user_by_key in ajax-functions-frontend.php) to authenticate as the admin without any credentials. This bypasses all authentication controls and grants full administrative access to the attacker. The vulnerability affects all versions up to and including 28.1.5. Although no public exploits are known yet, the ease of exploitation and the impact of full admin takeover make this a critical threat. The vulnerability requires the non-default RegMailOptional=1 setting to be enabled, which may limit exposure but still poses a severe risk to affected sites. The CVSS v3.1 score is 8.1, reflecting high impact on confidentiality, integrity, and availability with no privileges or user interaction required but with high attack complexity due to the specific setting requirement.

Successful exploitation of CVE-2026-4021 allows unauthenticated attackers to gain full administrative control over WordPress sites running the vulnerable Contest Gallery plugin with the RegMailOptional=1 setting enabled. This leads to complete compromise of the affected website, including the ability to modify content, install malicious plugins or backdoors, steal sensitive data, and disrupt site availability. Organizations relying on this plugin for contest management or media sales risk reputational damage, data breaches, and potential financial losses. Since WordPress powers a significant portion of the web, the vulnerability could be leveraged in targeted attacks against high-profile sites or used in widespread automated attacks once exploits become available. The requirement of a specific plugin setting reduces the attack surface but does not eliminate the risk, especially for sites that have customized configurations. The impact extends beyond the website itself, potentially affecting connected systems and users through compromised administrative privileges.

1. Immediately update the Contest Gallery plugin to a patched version once released by the vendor. Monitor official channels for patch announcements. 2. If patching is not immediately possible, disable the Contest Gallery plugin to eliminate the attack vector. 3. Review and disable the RegMailOptional=1 setting in the plugin configuration to prevent exploitation of the email coercion flaw. 4. Implement web application firewall (WAF) rules to block suspicious AJAX requests targeting the post_cg1l_login_user_by_key endpoint, especially from unauthenticated sources. 5. Audit user accounts for unauthorized changes to user_activation_key or suspicious registrations with crafted emails. 6. Enforce strict input validation and sanitization on user registration fields to prevent injection or coercion attacks. 7. Monitor logs for unusual login activity or AJAX requests related to the plugin. 8. Educate site administrators about the risks and encourage regular plugin updates and security best practices. 9. Consider isolating or sandboxing the plugin functionality if possible to limit impact. 10. Conduct a full security review and incident response if compromise is suspected.