Cyber Resilience

CVE-2026-25035

Critical

Published: 25 March 2026

Published
25 March 2026
Modified
24 April 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0042 33.2th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-25035 is a critical-severity Authentication Bypass Using an Alternate Path or Channel (CWE-288) vulnerability. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 33.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and RA-5 (Vulnerability Monitoring and Scanning).

Deeper analysis

CVE-2026-25035 is an Authentication Bypass Using an Alternate Path or Channel vulnerability (CWE-288) in the Contest Gallery WordPress plugin, developed by Wasiliy Strecker / ContestGallery under the contest-gallery package. This issue enables authentication abuse and affects all versions from n/a through 28.1.2.2. The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), marking it as critical due to its potential for severe impact.

An unauthenticated remote attacker can exploit this vulnerability over the network with low attack complexity and no user interaction. Exploitation allows high-impact compromise of confidentiality, integrity, and availability, facilitating authentication abuse that aligns with account takeover scenarios as described in vulnerability databases.

The Patchstack advisory provides details on this account takeover vulnerability in Contest Gallery version 28.1.2.2, available at https://patchstack.com/database/Wordpress/Plugin/contest-gallery/vulnerability/wordpress-contest-gallery-plugin-28-1-2-2-account-takeover-vulnerability?_s_id=cve. Security practitioners should consult this reference for mitigation guidance and patch information.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Authentication Bypass Using an Alternate Path or Channel vulnerability in Wasiliy Strecker / ContestGallery developer Contest Gallery contest-gallery allows Authentication Abuse.This issue affects Contest Gallery: from n/a through <= 28.1.2.2.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Authentication bypass in publicly accessible WordPress plugin directly enables remote unauthenticated exploitation of a public-facing web application (T1190) for account takeover and full compromise.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-44574Shared CWE-288
CVE-2025-2747Shared CWE-288
CVE-2025-69101Shared CWE-288
CVE-2026-2628Shared CWE-288
CVE-2025-64121Shared CWE-288
CVE-2026-22733Shared CWE-288
CVE-2026-44575Shared CWE-288
CVE-2025-50904Shared CWE-288
CVE-2025-24846Shared CWE-288
CVE-2026-25002Shared CWE-288

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Timely flaw remediation requires patching the vulnerable Contest Gallery WordPress plugin, directly eliminating the authentication bypass vulnerability.

prevent

Access enforcement mandates authentication checks on all paths and channels, preventing exploitation of the alternate path authentication bypass in the plugin.

detect

Vulnerability scanning identifies the critical authentication bypass flaw in the Contest Gallery plugin, enabling proactive mitigation.

References