Contest Gallery WordPress Plugin Authenticated Privilege Escalation to Administrator (CVE-2026-12165)

Scope: Contest Gallery WordPress Plugin Versions 0 through 30.0.2

Severity: High

A privilege escalation vulnerability (CVSS 8.8) in the Contest Gallery WordPress plugin stems from improper access control and insufficient validation of the RegistryUserRole parameter, allowing any authenticated attacker with Author-level access or higher to retrieve a valid administrative nonce and set the default role for new Google sign-in registrations to Administrator. An attacker can then register a new account via Google Sign-In and obtain full WordPress Administrator access, enabling complete site takeover, backdoor plugin installation, content defacement, user account manipulation, and a potential springboard for deeper server compromise. Administrators must update to version 30.0.3 immediately; where patching is not immediately possible, disable the plugin entirely and restrict Google Sign-In registration to trusted groups only, and audit the WordPress user database for any unexpected administrator accounts.

The Uganda National CERT and Coordination Center (CERT.UG/CC) encourages users and administrators to review the recommendations and apply the necessary updates.