CSV Injection Vulnerability in Contest Gallery Plugin for WordPress
CVE-2025-11254

4.3MEDIUM

Key Information:

Vendor

WordPress
Status
Contest Gallery – Upload, Vote & Sell With Paypal And Stripe
Vendor
CVE Published:
11 October 2025

What is CVE-2025-11254?

The Contest Gallery plugin for WordPress allows unauthenticated attackers to exploit a CSV Injection vulnerability present in all versions up to and including 27.0.3. This issue arises from the handling of gallery submissions, where untrusted input can be embedded into exported CSV files. If these files are subsequently downloaded and opened on a local system that is improperly configured, it could lead to unauthorized code execution, posing significant risks to user data and system security.

Affected Version(s)

Contest Gallery – Upload, Vote & Sell with PayPal and Stripe * <= 27.0.3

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...
https://plugins.trac.wordpress.org/changeset/3375891/cont...
https://plugins.trac.wordpress.org/changeset?old_path=/co...

CVSS V3.1

Score:
4.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Aurélien BOURDOIS
JSON
.