WordPress Plugin Vulnerabilities

Contest Gallery – Upload & Vote Photos, Media, Sell with PayPal & Stripe < 29.0.0 - Authenticated (Subscriber+) Sensitive Information Exposure

Description

The Contest Gallery – Upload & Vote Photos, Media, Sell with PayPal & Stripe plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 28.1.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to extract sensitive user or configuration data.

Affects Plugins

Plugin icon
contest-gallery
Fixed in 29.0.0

References

CVE
CVE-2026-42660
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/a443e857-a915-4aa4-9879-1465d50544cc

Classification

Type
SENSITIVE DATA DISCLOSURE
OWASP top 10
A3: Sensitive Data Exposure
CWE
CWE-200
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Jakub Herman
Verified
No
WPVDB ID
c9dd749e-4089-4276-a6cc-9ad7eca5f858

Timeline

Publicly Published
2026-04-29 (about 1 month ago)
Added
2026-05-04 (about 1 month ago)
Last Updated
2026-05-04 (about 1 month ago)

Other

Published
Title
Published
2026-01-06
Title
ShareThis Dashboard for Google Analytics <= 3.2.4 - Unauthenticated Google Analytics Data Exposure
Published
2023-10-04
Title
Booster for WooCommerce < 7.1.2 - Authenticated (Subscriber+) Information Disclosure via Shortcode
Published
2025-10-03
Title
GiveWP < 4.10.1 - Unauthenticated Forms and Campaigns Disclosure
Published
2024-04-05
Title
User Spam Remover < 1.1 - Unauthenticated Sensitive Information Exposure
Published
2025-12-12
Title
GenerateBlocks < 2.2.0 - Authenticated (Contributor+) Information Exposure via Metadata