How is CVE-2026-42680 exploited?

Network reachability (required): The attacker must reach the affected WordPress service over the network; no local access or physical proximity is required. Authentication (not-required): No account or credentials of any kind are needed to trigger the privilege escalation. Victim interaction (not-required): The attacker does not need to trick or involve any user; the exploit executes without any victim action. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and requires no special race conditions, memory layout knowledge, or other environmental preconditions.

What is the impact of CVE-2026-42680?

An unauthenticated attacker gains elevated or administrative privileges on the WordPress installation, enabling full control over site content and settings. With elevated privileges, the attacker reads sensitive stored data including user records, session tokens, and any private media or contest entries managed by the plugin. The attacker can modify or delete persisted database rows, including user roles, plugin configuration, and uploaded contest content. The attacker can disrupt site availability by altering core configuration or injecting content that renders the site inoperable.

Back to search

CRITICALCVE-2026-42680Published 2026-06-01Modified 2026-06-01CNA Patchstack

CVE-2026-42680: WordPress Contest Gallery Pro plugin <= 29.0.1 - Privilege Escalation vulnerability

Q: What is CVE-2026-42680?

A privilege escalation vulnerability affects the Contest Gallery Pro WordPress plugin at version 29.0.1 and below. It is reachable over the network with no authentication required and no user interaction needed, making it trivially exploitable by any remote attacker. Successful exploitation allows an attacker to elevate their account privileges, gain full read, write, and availability control over affected data and systems. No fix has been published yet; HarborGuard is tracking the advisory for patch availability.

Q: Is CVE-2026-42680 patched?

Because no upstream fix version has been published for this CVE, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment an upstream fix is released. For customers who opt into auto-remediation, a rebuilt image, regression-test run, and a PR opened against affected workloads will be triggered automatically as soon as a fix version appears upstream.

Incorrect Privilege Assignment vulnerability in Wasiliy Strecker / ContestGallery developer Contest Gallery Pro allows Privilege Escalation. This issue affects Contest Gallery Pro: from n/a through 29.0.1.

CVSS v3.1: 9.8
Severity: CRITICAL
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

A privilege escalation vulnerability affects the Contest Gallery Pro WordPress plugin at version 29.0.1 and below. It is reachable over the network with no authentication required and no user interaction needed, making it trivially exploitable by any remote attacker. Successful exploitation allows an attacker to elevate their account privileges, gain full read, write, and availability control over affected data and systems. No fix has been published yet; HarborGuard is tracking the advisory for patch availability.

HarborGuard Coverage

Detection

Detection capability is available across every HarborGuard environment: the CVE is ingested from upstream feeds including Patchstack within minutes of publication and matched against container images in customer registries and CI/CD pipelines, including custom-built WordPress images that bundle Contest Gallery Pro. Coverage extends to any image layer containing the affected plugin files, regardless of how the image was assembled.

Available

Triage

HarborGuard is capable of scoring this finding at its full CVSS v3.1 severity of 9.8 (Critical) and surfacing it immediately to the appropriate team inboxes within each customer organization. Per-environment compliance policy weighting allows each organization to adjust prioritization thresholds and routing rules for critical-severity, no-auth-required vulnerabilities like this one.

Available

Patch

Because no upstream fix version has been published for this CVE, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment an upstream fix is released. For customers who opt into auto-remediation, a rebuilt image, regression-test run, and a PR opened against affected workloads will be triggered automatically as soon as a fix version appears upstream.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the affected WordPress service over the network; no local access or physical proximity is required.
AuthenticationNot required
No account or credentials of any kind are needed to trigger the privilege escalation.
Victim interactionNot required
The attacker does not need to trick or involve any user; the exploit executes without any victim action.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and requires no special race conditions, memory layout knowledge, or other environmental preconditions.

Blast Radius

An unauthenticated attacker gains elevated or administrative privileges on the WordPress installation, enabling full control over site content and settings.
With elevated privileges, the attacker reads sensitive stored data including user records, session tokens, and any private media or contest entries managed by the plugin.
The attacker can modify or delete persisted database rows, including user roles, plugin configuration, and uploaded contest content.
The attacker can disrupt site availability by altering core configuration or injecting content that renders the site inoperable.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix exists for CVE-2026-42680 at this time, HarborGuard monitors the Patchstack advisory and upstream plugin releases on every ingest cycle. The moment a patched version of Contest Gallery Pro is published, a rebuilt image becomes available and, for customers who opt into auto-remediation, the pipeline will automatically produce a rebuilt image, run regression tests, and open a PR against affected workloads. In the interim, recommended compensating controls include applying network policy rules to restrict public access to WordPress admin and plugin endpoints, enabling a web application firewall rule targeting privilege-assignment request patterns, and considering temporary deactivation of the Contest Gallery Pro plugin if contest functionality is non-critical. Teams can use HarborGuard's policy editor to flag any image containing Contest Gallery Pro at or below version 29.0.1 as non-compliant and block it from promotion to production until a fix is confirmed.

See how HarborGuard automates this

Affected packages

Wasiliy Strecker / ContestGallery developer / Contest Gallery Pro
≤ 29.0.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

patchstack.com

Metrics

Get notified