CVE-2026-42656

Vulnerability

The Contest Gallery plugin for WordPress versions up to and including 28.1.6 is vulnerable to stored cross-site scripting (XSS). A subscriber-level user can inject arbitrary JavaScript into the page through a vulnerable parameter. The injected script is stored and executed when other users, including site visitors and administrators, access the affected page. [1]

Exploitation

An attacker must have a subscriber account on the WordPress site. The attacker submits a crafted payload (e.g., ``) via a form field or other input that is not properly sanitized. The payload is stored on the server. When a privileged user (such as an admin) or any other visitor loads the affected page, the script executes. User interaction from the target (e.g., visiting the page) is required for the exploit to succeed. [1]

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's browser. This can be used to redirect visitors to malicious sites, display advertisements, steal session cookies, or perform other actions that compromise the confidentiality and integrity of the site and its users. The attacker does not gain elevated privileges on the server, but can perform actions as the victim user. [1]

Mitigation

The vulnerability is fixed in Contest Gallery version 29.0.0 and later. Users should update immediately. If unable to update, a mitigation rule from Patchstack can be applied to block attacks until the patch is installed. No other workarounds are disclosed in the available references. [1]