WordPress Plugin Vulnerabilities

Contest Gallery < 21.2.9 - Cross-Site Request Forgery

Description

The Contest Gallery plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 21.2.8.4. This is due to missing or incorrect nonce validation in the prev10/prev10-admin/gallery/gallery.php file. This makes it possible for unauthenticated attackers to render galleries via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Affects Plugins

Plugin icon
contest-gallery
Fixed in 21.2.9

References

CVE
CVE-2024-24887
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/e4ed8c6e-5f80-4360-9478-fff49b1fee94

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Dhabaleshwar Das
Verified
No
WPVDB ID
a8498577-2c26-4a67-86a8-29018c7f4c37

Timeline

Publicly Published
2024-02-05 (about 2 years ago)
Added
2024-02-08 (about 2 years ago)
Last Updated
2024-02-08 (about 2 years ago)

Other

Published
Title
Published
2025-07-20
Title
Shortcodes Ultimate < 7.4.3 - Arbitrary Shortcode Execution via CSRF
Published
2025-09-10
Title
Analytics Reduce Bounce Rate <= 2.3 - Cross-Site Request Forgery
Published
2022-06-01
Title
Add Post URL <= 2.1.0 - Arbitrary Settings Update to Stored XSS via CSRF
Published
2023-06-19
Title
Extra User Details < 0.5.1 - Settings Update to Stored XSS via CSRF
Published
2025-08-12
Title
OceanWP 4.0.9 - 4.1.1 - Ocean Extra Plugin Installation via CSRF