Stored Cross-Site Scripting Vulnerability in Contest Gallery Plugin for WordPress
CVE-2025-3862

5.4MEDIUM

Key Information:

Vendor: WordPress
Status: Photos, Files, Youtube, Twitter, Instagram, Tiktok, Ecommerce Contest Gallery – Upload, Vote, Sell Via Paypal Or Stripe, Social Share Buttons
Vendor: CVE Published:; 8 May 2025

What is CVE-2025-3862?

The Contest Gallery plugin for WordPress is susceptible to Stored Cross-Site Scripting (XSS) attacks through the 'id' parameter across all versions up to and including 26.0.6. This vulnerability arises due to inadequate input sanitization and output escaping, permitting authenticated attackers with Contributor-level access or higher to inject malicious scripts. Such scripts can execute on pages when accessed by users, compromising the integrity and safety of the affected WordPress sites.

Affected Version(s)

Photos, Files, YouTube, Twitter, Instagram, TikTok, Ecommerce Contest Gallery – Upload, Vote, Sell via PayPal or Stripe, Social Share Buttons * <= 26.0.6

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://www.contest-gallery.com/documentation/

https://plugins.trac.wordpress.org/browser/contest-galler...

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 8, 2025
Vulnerability Reserved
Apr 21, 2025

Credit

Matthew Rollings