https://feed.craftedsignal.io/tags/cve-2026-4021/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioTue, 24 Mar 2026 00:16:31 +0000https://feed.craftedsignal.io/briefs/2026-03-contest-gallery-auth-bypass/Tue, 24 Mar 2026 00:16:31 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-03-contest-gallery-auth-bypass/CVE-2026-4021 describes an authentication bypass vulnerability in the Contest Gallery plugin for WordPress, allowing unauthenticated attackers to gain admin access by manipulating the user activation key and using an AJAX login endpoint.The Contest Gallery plugin for WordPress, versions up to and including 28.1.5, is vulnerable to a critical authentication bypass (CVE-2026-4021). This vulnerability stems from how the users-registry-check-after-email-or-pin-confirmation.php script handles email confirmations, combined with an unauthenticated key-based login endpoint in ajax-functions-frontend.php. If the RegMailOptional=1 setting is enabled (non-default), an attacker can register a new user account with a specially…

]]>criticaladvisorywordpressauthentication-bypassplugin-vulnerabilitycve-2026-4021