CVE-2026-42660

Vulnerability

The WordPress Contest Gallery plugin, versions 28.1.7 and earlier, contains a sensitive data exposure vulnerability. Subscriber-level authenticated users can access private information that should be restricted. The issue resides in insufficient access controls for certain data endpoints [1].

Exploitation

An attacker needs a subscriber-level account on the target WordPress site. By exploiting the plugin's improper data access controls, the attacker can retrieve sensitive information intended for other user roles or for administrators only. No special privileges beyond subscriber are required [1].

Impact

Successful exploitation allows an attacker to view sensitive data, potentially including personal information of other users or private application data. This leads to unauthorized information disclosure with a CVSS score of 6.5 (Medium) and is expected to be used in mass exploitation campaigns [1].

Mitigation

Update to version 29.0.0 or later, which contains the fix. If an immediate update is not possible, consider applying a virtual patch or mitigation rule from Patchstack. Ensure that all instances of the plugin are updated promptly to prevent exploitation [1].