CVE-2026-40771: WordPress Contest Gallery plugin <= 28.1.6 - SQL Injection vulnerability
Unauthenticated SQL Injection in Contest Gallery <= 28.1.6 versions.
Metrics
- CVSS v3.1
- 9.3
- Severity
- CRITICAL
- Fixed in
- —
- Affected Products
- 1
HarborGuard Analysis
Synopsis
An unauthenticated SQL injection vulnerability affects the Contest Gallery WordPress plugin at version 28.1.6 and earlier. The flaw is reachable over the network with no authentication required and has a changed scope impact, meaning a successful attacker can read data outside the directly vulnerable component. Successful exploitation allows an attacker to read sensitive data from the underlying database; limited disruption to availability is also possible. No upstream fix has been published yet; HarborGuard tracks this advisory and will make a patched-image rebuild available the moment a fix version is released.
HarborGuard Coverage
Detection for CVE-2026-40771 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of ingestion from upstream feeds including Patchstack, covering custom-built images that bundle the Contest Gallery plugin. Any image carrying Contest Gallery at version 28.1.6 or earlier is flagged automatically as new scan results arrive.
AvailableHarborGuard is capable of scoring this CVE at its published CVSS 3.1 rating of 9.3 (Critical) and weighting findings against each customer environment's compliance policy to prioritize routing. Triage results are routed to the appropriate team inbox within each customer organization based on configured ownership rules.
AvailableBecause no fix version has been published upstream, HarborGuard re-checks this advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment Wasiliy Strecker ships a remediated release. Until then, customers can apply compensating controls through HarborGuard's policy engine, such as network-policy isolation for affected workloads.
Pending upstreamExploit Conditions
- Network reachabilityRequired
The vulnerable plugin endpoint is exposed over the network, so an attacker must be able to reach the WordPress installation via standard HTTP/HTTPS traffic.
- AuthenticationNot required
No account or session credential of any kind is needed; the injection point is accessible to anonymous requests.
- Victim interactionNot required
Exploitation is fully server-side and requires no action from any user or administrator of the target site.
- Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and requires no special conditions, race timing, or non-default configuration to succeed.
Blast Radius
- Reads arbitrary database rows, including stored user credentials, session tokens, and any customer or contest submission records held in the WordPress database.
- The changed-scope (S:C) rating means the attacker can access data beyond the plugin's own tables, reaching other data stored in the shared database instance.
- Limited availability impact allows an attacker to degrade or partially disrupt database responsiveness, affecting site operation.
How HarborGuard Handles This
Available on HarborGuard: because no upstream fix currently exists for CVE-2026-40771, HarborGuard monitors the Patchstack advisory feed on every ingest cycle and will trigger a patched-image rebuild automatically once Contest Gallery ships a remediated version. For customers who opt into auto-remediation, that rebuild will be followed by a regression-test run and a PR opened against affected workloads, with no manual intervention required. In the meantime, compensating controls are available through HarborGuard's policy engine: network-policy isolation can restrict external access to affected WordPress deployments, egress filtering can limit outbound data paths from compromised containers, and teams can use feature-flag or deployment-gate policies to block promotion of images carrying the affected plugin version into production until a fix is confirmed.
- Wasiliy Strecker / Contest Gallery≤ 28.1.6
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L