{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-24964", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-01-28T09:50:35.465Z", "datePublished": "2026-03-25T16:14:33.077Z", "dateUpdated": "2026-03-26T20:15:37.741Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "contest-gallery", "product": "Contest Gallery", "vendor": "Wasiliy Strecker / ContestGallery developer", "versions": [{"changes": [{"at": "28.1.2.2", "status": "unaffected"}], "lessThanOrEqual": "<= 28.1.2.1", "status": "affected", "version": "n/a", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "lilmingwa13 | Patchstack Bug Bounty Program"}], "datePublic": "2026-03-25T17:12:14.285Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Server-Side Request Forgery (SSRF) vulnerability in Wasiliy Strecker / ContestGallery developer Contest Gallery contest-gallery allows Server Side Request Forgery.<p>This issue affects Contest Gallery: from n/a through <= 28.1.2.1.</p>"}], "value": "Server-Side Request Forgery (SSRF) vulnerability in Wasiliy Strecker / ContestGallery developer Contest Gallery contest-gallery allows Server Side Request Forgery.This issue affects Contest Gallery: from n/a through <= 28.1.2.1."}], "impacts": [{"capecId": "CAPEC-664", "descriptions": [{"lang": "en", "value": "Server Side Request Forgery"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-918", "description": "Server-Side Request Forgery (SSRF)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-25T16:14:33.077Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/contest-gallery/vulnerability/wordpress-contest-gallery-plugin-28-1-2-1-server-side-request-forgery-ssrf-vulnerability?_s_id=cve"}], "title": "WordPress Contest Gallery plugin <= 28.1.2.1 - Server Side Request Forgery (SSRF) vulnerability"}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-26T20:14:33.369452Z", "id": "CVE-2026-24964", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T20:15:37.741Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-24964", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-26T20:14:33.369452Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T20:14:16.115Z"}}], "cna": {"title": "WordPress Contest Gallery plugin <= 28.1.2.1 - Server Side Request Forgery (SSRF) vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "lilmingwa13 | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-664", "descriptions": [{"lang": "en", "value": "Server Side Request Forgery"}]}], "affected": [{"vendor": "Wasiliy Strecker / ContestGallery developer", "product": "Contest Gallery", "versions": [{"status": "affected", "changes": [{"at": "28.1.2.2", "status": "unaffected"}], "version": "n/a", "versionType": "custom", "lessThanOrEqual": "<= 28.1.2.1"}], "packageName": "contest-gallery", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-03-25T17:12:14.285Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/contest-gallery/vulnerability/wordpress-contest-gallery-plugin-28-1-2-1-server-side-request-forgery-ssrf-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Server-Side Request Forgery (SSRF) vulnerability in Wasiliy Strecker / ContestGallery developer Contest Gallery contest-gallery allows Server Side Request Forgery.This issue affects Contest Gallery: from n/a through <= 28.1.2.1.", "supportingMedia": [{"type": "text/html", "value": "Server-Side Request Forgery (SSRF) vulnerability in Wasiliy Strecker / ContestGallery developer Contest Gallery contest-gallery allows Server Side Request Forgery.<p>This issue affects Contest Gallery: from n/a through <= 28.1.2.1.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-918", "description": "Server-Side Request Forgery (SSRF)"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-25T16:14:33.077Z"}}}, "cveMetadata": {"cveId": "CVE-2026-24964", "state": "PUBLISHED", "dateUpdated": "2026-03-26T20:15:37.741Z", "dateReserved": "2026-01-28T09:50:35.465Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-03-25T16:14:33.077Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Server-Side Request Forgery (SSRF) vulnerability in Wasiliy Strecker / ContestGallery developer Contest Gallery contest-gallery allows Server Side Request Forgery.This issue affects Contest Gallery: from n/a through <= 28.1.2.1."}, {"lang": "es", "value": "Vulnerabilidad de falsificaci\u00f3n de petici\u00f3n del lado del servidor (SSRF) en Wasiliy Strecker / desarrollador de ContestGallery Contest Gallery contest-gallery permite la falsificaci\u00f3n de petici\u00f3n del lado del servidor. Este problema afecta a Contest Gallery: desde n/a hasta &lt;= 28.1.2.1."}], "id": "CVE-2026-24964", "lastModified": "2026-03-26T21:17:03.870", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-25T17:16:38.523", "references": [{"source": "[email protected]", "url": "https://patchstack.com/database/Wordpress/Plugin/contest-gallery/vulnerability/wordpress-contest-gallery-plugin-28-1-2-1-server-side-request-forgery-ssrf-vulnerability?_s_id=cve"}], "sourceIdentifier": "[email protected]", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "[email protected]", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,28.1.2.1]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "28.1.2.2"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Contest Gallery", "source": "cna", "vendor": "Wasiliy Strecker / ContestGallery developer"}, "product": "contest_gallery", "vendor": "wasiliy_strecker_/_contestgallery_developer"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-03-26T22:54:26.996412+00:00", "value": {"mitigation_remediation": ["Update Contest Gallery plugin to a version newer than 28.1.2.1", "Restrict WordPress server outbound traffic to known external endpoints, blocking unknown requests", "Disable or limit the plugin features that trigger SSRF if an update is not available", "Monitor plugin activity and review logs for abnormal outbound connections", "Ensure internal resources are not reachable from the public internet"], "summary": {"action": "Apply Patch", "impact": "Server\u2011Side Request Forgery"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the Contest Gallery plugin developed by Wasiliy Strecker. Any WordPress site running versions from the first public release through 28.1.2.1 is potentially impacted. No further sub\u2011version details are provided, so all releases up to and including 28.1.2.1 should be considered exposed.", "description_and_impact": "The Contest Gallery WordPress plugin contains a Server\u2011Side Request Forgery flaw that allows an attacker to make the plugin issue HTTP requests to arbitrary URLs. This weakness can enable the attacker to reach internal systems or services that should not be exposed to the public, potentially disclosing confidential data or facilitating further attacks. Based on the description, it is inferred that the attacker could use the plugin as a proxy to access otherwise unreachable resources. The flaw is classified as CWE\u2011918.", "risk_and_exploitability": "The CVSS score of 6.4 indicates medium severity, and the EPSS score of less than 1% suggests a very low likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog. Attackers would need the ability to trigger the plugin, likely through a specific endpoint, which may require authenticated access or could be exposed publicly; this is inferred from typical SSRF vectors. While the risk is moderate, any exposure to sensitive internal resources should be mitigated promptly."}}}}, "created": "2026-03-25T21:34:42.013086+00:00", "updated": "2026-03-27T09:46:24.007869+00:00", "vendors": ["wasiliy_strecker_/_contestgallery_developer", "wasiliy_strecker_/_contestgallery_developer$PRODUCT$contest_gallery", "wordpress", "wordpress$PRODUCT$wordpress"]}