CVE-2025-3862

Medium CVSS: 6.4

Contest Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘id’ parameter in all versions up to, and including, 26.0.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Vendor

Contest-gallery

Product

Contest Gallery

CWE

CWE-79

Yayın Tarihi

2025-05-08 12:15:18

Güncelleme

2025-06-04 22:57:04

Source Identifier

security@wordfence.com

KEV Date Added

Kategoriler

CWE-79 Contest Gallery MEDIUM Contest-gallery 2025

Referanslar

https://plugins.trac.wordpress.org/browser/contest-gallery/tags/26.0.5/shortcodes/cg_entry_on_off.php#L20 https://plugins.trac.wordpress.org/browser/contest-gallery/tags/26.0.7/shortcodes/cg_entry_on_off.php#L20 https://plugins.trac.wordpress.org/changeset/3288915 https://wordpress.org/plugins/contest-gallery/#developers https://www.contest-gallery.com/documentation/ https://www.wordfence.com/threat-intel/vulnerabilities/id/a1b043a1-7bee-4ef0-86d9-19cf202cfc71?source=cve

Benzer Kayıtlar

High

CVE-2025-1513

The Photos, Files, YouTube, Twitter, Instagram, TikTok, Ecommerce Contest Gallery – Upload, Vote, Sell via PayPal or Str…

High

CVE-2025-22693

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Wasiliy Strecker /…

Medium

CVE-2024-56237

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Wasiliy Strecker /…