Attack Vectors

CVE-2026-24964 is a Medium-severity (CVSS 6.4) Server-Side Request Forgery (SSRF) vulnerability affecting the WordPress plugin Contest Gallery – Upload & Vote Photos, Media, Sell with PayPal & Stripe (slug: contest-gallery) in versions <= 28.1.2.1.

The key risk factor is that exploitation requires only authenticated access—an attacker with a Subscriber account (or higher) can potentially trigger the website to make network requests on the attacker’s behalf. This matters for organizations that allow public account creation (for contests, voting, community submissions, or marketing campaigns), or where accounts are easy to obtain via compromised credentials.

Because the request originates from your web server (not the attacker’s device), SSRF can be used to reach destinations that are normally not exposed to the internet, such as internal services, admin panels, or cloud metadata endpoints, depending on how your environment is hosted and segmented.

Security Weakness

This issue is caused by insufficient controls over where the plugin allows the server to connect when processing certain user-influenced requests. In practical terms, the application can be coerced into sending web requests to arbitrary locations chosen by an authenticated user.

According to the published advisory, this SSRF condition can be used to query and modify information from internal services. The vulnerability is tracked as CVE-2026-24964, with additional detail available from the reporting source at Wordfence.

Remediation: Update Contest Gallery – Upload & Vote Photos, Media, Sell with PayPal & Stripe to version 28.1.2.2 or newer (patched version). If immediate updating is not possible, reduce exposure by limiting who can register/log in, reviewing Subscriber permissions, and monitoring unusual outbound connections from the web server.

Technical or Business Impacts

For leadership and compliance teams, the core business concern with SSRF is that it can turn a “low-privilege” website account into a pathway toward internal data access or unauthorized internal actions, potentially increasing the blast radius beyond the public website. This can impact confidentiality and integrity (as reflected in the CVSS vector), even when the website itself appears to be functioning normally.

Potential business impacts include: exposure of internal endpoints or sensitive configuration data; manipulation of internal services reachable by the web server; increased likelihood of a broader security incident if SSRF is chained with other weaknesses; reputational damage during active marketing campaigns; and compliance implications if internal systems or customer-related data are indirectly accessed through the web application.

Similar attacks (real-world examples): SSRF has played a role in major incidents and high-profile vulnerability chains, including the Capital One cyber incident (2019) and Microsoft Exchange “ProxyLogon” exploit chains that included SSRF as a key step (see Microsoft’s summary here).