CVE-2024-11103: 
WordPress vulnerability analysis and mitigation

The Contest Gallery plugin for WordPress contains a critical privilege escalation vulnerability (CVE-2024-11103) affecting all versions up to and including 24.0.7. The vulnerability was disclosed on November 28, 2024, and received a CVSS v3.1 base score of 9.8 (Critical) (NVD).

The vulnerability stems from improper user identity validation during password update operations. The security flaw is classified as CWE-640 (Weak Password Recovery Mechanism for Forgotten Password). With a CVSS v3.1 vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, the vulnerability indicates network accessibility, low attack complexity, no privileges required, and no user interaction needed for exploitation (NVD).

The vulnerability allows unauthenticated attackers to change passwords for arbitrary users, including administrators. This capability can be leveraged to gain unauthorized access to user accounts, potentially leading to complete site compromise through administrator account takeover (NVD).

Users should immediately update the Contest Gallery plugin to version 24.0.8 or later, which contains the security fix for this vulnerability (Wordfence).