Cyber Resilience

CVE-2026-4021

High

Published: 24 March 2026

Published
24 March 2026
Modified
24 April 2026
KEV Added
Patch
CVSS Score v3.1 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0044 34.8th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-4021 is a high-severity Improper Authentication (CWE-287) vulnerability in Wordpress (inferred from references). Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 34.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-4021 is an authentication bypass vulnerability in the Contest Gallery plugin for WordPress, affecting all versions up to and including 28.1.5. The issue arises in the email confirmation handler within `users-registry-check-after-email-or-pin-confirmation.php`, which incorrectly uses the user's email string in a `WHERE ID = %s` SQL clause instead of the numeric user ID. This is combined with an unauthenticated key-based login endpoint in `ajax-functions-frontend.php`. The vulnerability has a CVSS v3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-287 (Improper Authentication).

Unauthenticated attackers can exploit the vulnerability when the non-default `RegMailOptional=1` setting is enabled. By registering an account with a crafted email address starting with the target administrator's numeric user ID—such as `1poc@example.test` for user ID 1—they trigger the confirmation flow. MySQL integer coercion in the flawed SQL query allows this to overwrite the target admin's `user_activation_key`. The attacker then invokes the `post_cg1l_login_user_by_key` AJAX action to authenticate as the administrator without any credentials, resulting in full WordPress site control.

The plugin's trac repository provides code references to the vulnerable lines in versions 28.1.4 and the trunk, along with a changeset documenting changes from 28.1.5 to 28.1.6, indicating that updating to version 28.1.6 addresses the issue by fixing the SQL handling and related logic.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

The Contest Gallery plugin for WordPress is vulnerable to an authentication bypass leading to admin account takeover in all versions up to, and including, 28.1.5. This is due to the email confirmation handler in `users-registry-check-after-email-or-pin-confirmation.php` using the user's email string…

more

in a `WHERE ID = %s` clause instead of the numeric user ID, combined with an unauthenticated key-based login endpoint in `ajax-functions-frontend.php`. When the non-default `RegMailOptional=1` setting is enabled, an attacker can register with a crafted email starting with the target user ID (e.g., `1poc@example.test`), trigger the confirmation flow to overwrite the admin's `user_activation_key` via MySQL integer coercion, and then use the `post_cg1l_login_user_by_key` AJAX action to authenticate as the admin without any credentials. This makes it possible for unauthenticated attackers to take over any WordPress administrator account and gain full site control.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The vulnerability is an unauthenticated authentication bypass in a public-facing WordPress plugin, enabling remote exploitation to achieve administrator account takeover and full site control.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-1044Shared CWE-287
CVE-2026-1740Shared CWE-287
CVE-2026-7022Shared CWE-287
CVE-2024-13111Shared CWE-287
CVE-2026-29145Shared CWE-287
CVE-2018-25236Shared CWE-287
CVE-2024-53704Shared CWE-287
CVE-2024-57049Shared CWE-287
CVE-2025-12374Shared CWE-287
CVE-2025-15484Shared CWE-287

Affected Assets

Wordpress
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Flaw remediation directly mitigates this CVE by updating the Contest Gallery plugin to version 28.1.6, which fixes the flawed SQL handling and authentication logic.

prevent

Information input validation prevents crafted email addresses from exploiting MySQL integer coercion in the SQL WHERE clause to overwrite user activation keys.

prevent

Authenticator management secures user activation keys against unauthorized overwrite and misuse in unauthenticated key-based login endpoints.

References