{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-4021/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["wordpress","authentication-bypass","plugin-vulnerability","cve-2026-4021"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe Contest Gallery plugin for WordPress, versions up to and including 28.1.5, is vulnerable to a critical authentication bypass (CVE-2026-4021). This vulnerability stems from how the \u003ccode\u003eusers-registry-check-after-email-or-pin-confirmation.php\u003c/code\u003e script handles email confirmations, combined with an unauthenticated key-based login endpoint in \u003ccode\u003eajax-functions-frontend.php\u003c/code\u003e.  If the \u003ccode\u003eRegMailOptional=1\u003c/code\u003e setting is enabled (non-default), an attacker can register a new user account with a specially…\u003c/p\u003e\n","date_modified":"2026-03-24T00:16:31Z","date_published":"2026-03-24T00:16:31Z","id":"/briefs/2026-03-contest-gallery-auth-bypass/","summary":"CVE-2026-4021 describes an authentication bypass vulnerability in the Contest Gallery plugin for WordPress, allowing unauthenticated attackers to gain admin access by manipulating the user activation key and using an AJAX login endpoint.","title":"Contest Gallery WordPress Plugin Authentication Bypass Vulnerability (CVE-2026-4021)","url":"https://feed.craftedsignal.io/briefs/2026-03-contest-gallery-auth-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed — Cve-2026-4021","version":"https://jsonfeed.org/version/1.1"}