📄 Description (English)
The Contest Gallery plugin for WordPress is vulnerable to an authentication bypass leading to admin account takeover in all versions up to, and including, 28.1.5. This is due to the email confirmation handler in `users-registry-check-after-email-or-pin-confirmation.php` using the user's email string in a `WHERE ID = %s` clause instead of the numeric user ID, combined with an unauthenticated key-based login endpoint in `ajax-functions-frontend.php`. When the non-default `RegMailOptional=1` setting is enabled, an attacker can register with a crafted email starting with the target user ID (e.g., `1poc@example.test`), trigger the confirmation flow to overwrite the admin's `user_activation_key` via MySQL integer coercion, and then use the `post_cg1l_login_user_by_key` AJAX action to authenticate as the admin without any credentials. This makes it possible for unauthenticated attackers to take over any WordPress administrator account and gain full site control.
🤖 AI Executive Summary
CVE-2026-4021 is a critical authentication bypass vulnerability in the Contest Gallery WordPress plugin (versions ≤28.1.5) that allows unauthenticated attackers to take over administrator accounts through email confirmation handler exploitation and MySQL integer coercion. When the non-default RegMailOptional setting is enabled, attackers can register with a crafted email, overwrite the admin's activation key, and gain full site control via an unauthenticated AJAX login endpoint. With no patch currently available and no exploit publicly disclosed, immediate mitigation is essential for all affected WordPress installations in Saudi Arabia.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: Apr 26, 2026 11:33
🇸🇦 Saudi Arabia Impact Assessment
This vulnerability poses severe risk to Saudi organizations using WordPress with the Contest Gallery plugin, particularly affecting: (1) Government agencies and ministries using WordPress for public portals and citizen services under NCA oversight; (2) Banking and financial institutions (SAMA-regulated) using WordPress for customer-facing platforms; (3) E-commerce and retail businesses managing online storefronts; (4) Healthcare providers (MOH-regulated) using WordPress for patient information portals; (5) Educational institutions and universities; (6) Telecommunications companies (STC, Mobily) using WordPress for service portals. The vulnerability enables complete site takeover, data theft, malware injection, and reputational damage. Organizations in regulated sectors face compliance violations and potential regulatory penalties from SAMA, NCA, and MOH.
🏢 Affected Saudi Sectors
Government and Public Administration
Banking and Financial Services
Healthcare and Medical Services
E-commerce and Retail
Telecommunications
Education and Universities
Energy and Utilities
Insurance
Real Estate and Property Management
Media and Publishing
🎯 MITRE ATT&CK Techniques
T1078 - Valid Accounts
T1078.001 - Default Accounts
T1078.002 - Domain Accounts
T1078.003 - Local Accounts
T1078.004 - Cloud Accounts
T1190 - Exploit Public-Facing Application
T1199 - Trusted Relationship
T1566 - Phishing
T1589 - Gather Victim Identity Information
T1598 - Phishing for Information
T1110 - Brute Force
T1110.001 - Password Guessing
T1110.004 - Credential Stuffing
T1555 - Credentials from Password Stores
T1187 - Forced Authentication
T1040 - Network Sniffing
T1056 - Input Capture
T1056.004 - Credential API Hooking
⚖️ Saudi Risk Score (AI)
9.2
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS:
1. Disable the Contest Gallery plugin immediately: Navigate to WordPress admin > Plugins > Contest Gallery > Deactivate and Delete
2. If plugin functionality is critical, isolate the affected WordPress instance from production until patching is available
3. Change all WordPress administrator account passwords immediately
4. Review user accounts for unauthorized admin accounts created in the past 30 days
5. Check WordPress user_activation_key values in wp_users table for suspicious modifications
DETECTION & INVESTIGATION:
6. Search WordPress logs and web server logs for POST requests to /wp-admin/admin-ajax.php with action=post_cg1l_login_user_by_key
7. Monitor for user registrations with emails matching pattern: ^[0-9]+[a-zA-Z0-9._%+-]*@.*$ (numeric prefix emails)
8. Check wp_usermeta table for recent user_activation_key changes
9. Review wp_users table for accounts with user_registered dates matching suspicious activity timeframes
COMPENSATING CONTROLS (if plugin cannot be immediately removed):
10. Disable user registration entirely via Settings > General > Membership unchecked
11. Disable the RegMailOptional setting if accessible in plugin settings
12. Implement Web Application Firewall (WAF) rules to block requests to post_cg1l_login_user_by_key AJAX action
13. Restrict /wp-admin/admin-ajax.php access to authenticated users only via .htaccess or nginx configuration
14. Implement IP whitelisting for WordPress admin access
15. Enable two-factor authentication (2FA) on all administrator accounts using plugins like Wordfence or Google Authenticator
LONG-TERM REMEDIATION:
16. Monitor the Contest Gallery plugin repository for security updates and apply immediately when available
17. Consider replacing Contest Gallery with alternative, actively maintained plugins
18. Implement WordPress security hardening: disable file editing, restrict plugin/theme uploads, implement regular backups
19. Deploy WordPress security monitoring solution (Wordfence, Sucuri, or equivalent) with real-time threat detection
20. Conduct full WordPress security audit including database integrity verification
DETECTION RULES (for SIEM/WAF):
- Alert on POST requests to admin-ajax.php with action=post_cg1l_login_user_by_key
- Alert on user registrations with email addresses starting with numeric characters
- Alert on wp_users table modifications to user_activation_key field outside normal change windows
- Alert on successful logins immediately following user registration with numeric-prefix emails
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. قم بتعطيل إضافة Contest Gallery فوراً: انتقل إلى لوحة تحكم WordPress > الإضافات > Contest Gallery > إلغاء التفعيل والحذف
2. إذا كانت وظائف الإضافة حرجة، قم بعزل مثيل WordPress المتأثر عن الإنتاج حتى يتوفر التصحيح
3. غيّر كلمات مرور جميع حسابات مسؤول WordPress فوراً
4. راجع حسابات المستخدمين للبحث عن حسابات مسؤول غير مصرح بها تم إنشاؤها في آخر 30 يوماً
5. تحقق من قيم user_activation_key في جدول wp_users للتعديلات المريبة
الكشف والتحقيق:
6. ابحث في سجلات WordPress وسجلات خادم الويب عن طلبات POST إلى /wp-admin/admin-ajax.php مع action=post_cg1l_login_user_by_key
7. راقب تسجيلات المستخدمين ببريد إلكتروني يطابق النمط: ^[0-9]+[a-zA-Z0-9._%+-]*@.*$ (رسائل بريد إلكترونية بادئة رقمية)
8. تحقق من جدول wp_usermeta للتغييرات الأخيرة في user_activation_key
9. راجع جدول wp_users للحسابات ذات تواريخ user_registered المطابقة لأطر النشاط المريب
الضوابط التعويضية (إذا لم يتمكن من إزالة الإضافة فوراً):
10. قم بتعطيل تسجيل المستخدم بالكامل عبر الإعدادات > عام > عضوية غير محددة
11. قم بتعطيل إعداد RegMailOptional إن أمكن في إعدادات الإضافة
12. تنفيذ قواعد جدار حماية تطبيقات الويب (WAF) لحظر الطلبات إلى إجراء AJAX post_cg1l_login_user_by_key
13. تقييد الوصول إلى /wp-admin/admin-ajax.php للمستخدمين المصرح لهم فقط عبر .htaccess أو تكوين nginx
14. تنفيذ القائمة البيضاء للعناوين IP لوصول مسؤول WordPress
15. تفعيل المصادقة متعددة العوامل (2FA) على جميع حسابات المسؤول باستخدام إضافات مثل Wordfence أو Google Authenticator
التخفيف طويل الأجل:
16. راقب مستودع إضافة Contest Gallery للتحديثات الأمنية وطبقها فوراً عند توفرها
17. فكر في استبدال Contest Gallery بإضافات بديلة يتم صيانتها بنشاط
18. تنفيذ تقسية أمان WordPress: تعطيل تحرير الملفات، تقييد تحميل الإضافات/المواضيع، تنفيذ النسخ الاحتياطية المنتظمة
19. نشر حل مراقبة أمان WordPress (Wordfence أو Sucuri أو ما يعادله) مع الكشف عن التهديدات في الوقت الفعلي
20. إجراء تدقيق أمان WordPress كامل بما في ذلك التحقق من سلامة قاعدة البيانات
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
A.5.1.1 - Information security policies and procedures
A.6.1.1 - Access control policy
A.6.2.1 - User registration and access rights management
A.6.2.2 - Privileged access rights
A.8.2.1 - User authentication
A.8.2.3 - Password management
A.9.2.1 - User access management
A.12.4.1 - Event logging
A.12.4.3 - Administrator and operator logs
🔵 SAMA CSF
ID.AM-1 - Asset Management
PR.AC-1 - Access Control Policy
PR.AC-2 - Physical and Logical Access Controls
PR.AC-3 - Access Enforcement
PR.AC-4 - Access Rights Management
PR.AC-5 - Identification and Authentication
DE.CM-1 - System Monitoring
DE.CM-3 - Unauthorized Software Detection
RS.AN-1 - Characterization of Incident
🟡 ISO 27001:2022
5.2.1 - User registration and access rights
5.3.1 - Management of privileged access rights
6.2.1 - Reduction and management of information security risk
8.2.1 - User authentication
8.2.2 - User identification and authentication
8.2.3 - Password management
8.3.1 - Information access restriction
8.3.2 - Access to networks and network services
8.3.3 - Access control
8.3.4 - Access to application and information systems
🟣 PCI DSS v4.0.1
Requirement 2.1 - Default passwords and security parameters
Requirement 6.2 - Security patches and updates
Requirement 7 - Restrict access to data by business need
Requirement 8.1 - Assign unique ID to each person
Requirement 8.2 - Ensure proper user authentication
Requirement 8.3 - Restrict physical and logical access
🔗 References & Sources 6
🔗
🔗
🔗
🔗
🔗
🔗
https://plugins.trac.wordpress.org/browser/contest-gallery/tags/28.1.4/ajax/ajax-functi...
security@wordfence.com
https://plugins.trac.wordpress.org/browser/contest-gallery/tags/28.1.4/v10/v10-admin/us...
security@wordfence.com
https://plugins.trac.wordpress.org/browser/contest-gallery/trunk/ajax/ajax-functions-fr...
security@wordfence.com
https://plugins.trac.wordpress.org/browser/contest-gallery/trunk/v10/v10-admin/users/fr...
security@wordfence.com
https://plugins.trac.wordpress.org/changeset?old_path=/contest-gallery/tags/28.1.5&new_...
security@wordfence.com
https://www.wordfence.com/threat-intel/vulnerabilities/id/f1b9725b-dee5-44ca-bb33-c6812...
security@wordfence.com