CVE-2026-25035
Published: 25 March 2026
Summary
CVE-2026-25035 is a critical-severity Authentication Bypass Using an Alternate Path or Channel (CWE-288) vulnerability. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 33.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and RA-5 (Vulnerability Monitoring and Scanning).
Deeper analysis
CVE-2026-25035 is an Authentication Bypass Using an Alternate Path or Channel vulnerability (CWE-288) in the Contest Gallery WordPress plugin, developed by Wasiliy Strecker / ContestGallery under the contest-gallery package. This issue enables authentication abuse and affects all versions from n/a through 28.1.2.2. The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), marking it as critical due to its potential for severe impact.
An unauthenticated remote attacker can exploit this vulnerability over the network with low attack complexity and no user interaction. Exploitation allows high-impact compromise of confidentiality, integrity, and availability, facilitating authentication abuse that aligns with account takeover scenarios as described in vulnerability databases.
The Patchstack advisory provides details on this account takeover vulnerability in Contest Gallery version 28.1.2.2, available at https://patchstack.com/database/Wordpress/Plugin/contest-gallery/vulnerability/wordpress-contest-gallery-plugin-28-1-2-2-account-takeover-vulnerability?_s_id=cve. Security practitioners should consult this reference for mitigation guidance and patch information.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-15635
Vulnerability details
Authentication Bypass Using an Alternate Path or Channel vulnerability in Wasiliy Strecker / ContestGallery developer Contest Gallery contest-gallery allows Authentication Abuse.This issue affects Contest Gallery: from n/a through <= 28.1.2.2.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Authentication bypass in publicly accessible WordPress plugin directly enables remote unauthenticated exploitation of a public-facing web application (T1190) for account takeover and full compromise.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Timely flaw remediation requires patching the vulnerable Contest Gallery WordPress plugin, directly eliminating the authentication bypass vulnerability.
Access enforcement mandates authentication checks on all paths and channels, preventing exploitation of the alternate path authentication bypass in the plugin.
Vulnerability scanning identifies the critical authentication bypass flaw in the Contest Gallery plugin, enabling proactive mitigation.