CSV Injection Vulnerability in Contest Gallery Plugin for WordPress
CVE-2025-11254

4.3MEDIUM

Key Information:

Vendor: WordPress
Status: Contest Gallery – Upload, Vote & Sell With Paypal And Stripe
Vendor: CVE Published:; 11 October 2025

What is CVE-2025-11254?

The Contest Gallery plugin for WordPress allows unauthenticated attackers to exploit a CSV Injection vulnerability present in all versions up to and including 27.0.3. This issue arises from the handling of gallery submissions, where untrusted input can be embedded into exported CSV files. If these files are subsequently downloaded and opened on a local system that is improperly configured, it could lead to unauthorized code execution, posing significant risks to user data and system security.

Affected Version(s)

Contest Gallery – Upload, Vote & Sell with PayPal and Stripe * <= 27.0.3

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/changeset/3375891/cont...

https://plugins.trac.wordpress.org/changeset?old_path=/co...

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 11, 2025
Vulnerability Reserved
Oct 3, 2025

Credit

Aurélien BOURDOIS

JSON